From 0fbd9bff71b47e3a32e54629c3f67e7eda1812fe Mon Sep 17 00:00:00 2001
From: Phil Pennock <pdp@exim.org>
Date: Sat, 23 Mar 2013 19:46:22 -0400
Subject: [PATCH] Rename dns_use_dnssec to dns_dnssec_ok.

This per Tony's suggestion; this makes it clearer that we are merely
setting resolver flags, not performing validation ourselves.

Well, clearer to those who understand DNSSEC.  For everyone else,
they'll still be dependent upon a forthcoming new chapter to the
Specification.
---
 doc/doc-txt/ChangeLog |  4 ++++
 doc/doc-txt/NewStuff  |  5 +++--
 src/src/dns.c         | 14 +++++++-------
 src/src/globals.c     |  2 +-
 src/src/globals.h     |  2 +-
 src/src/readconf.c    |  2 +-
 6 files changed, 17 insertions(+), 12 deletions(-)

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index a2e204d34..abaee5659 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -181,6 +181,10 @@ PP/18 OpenSSL made graceful with empty tls_verify_certificates setting.
       unset was to force an expansion failure.  That still works, and
       an empty string is now equivalent.
 
+PP/19 Renamed DNSSEC-enabling option to "dns_dnssec_ok", to make it
+      clearer that Exim is using the DO (DNSSEC OK) EDNS0 resolver flag,
+      not performing validation itself.
+
 
 Exim version 4.80.1
 -------------------
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index 47c5f6fec..ab8589e53 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -32,10 +32,11 @@ Version 4.82
     Unless you really know what you are doing, leave it alone.
 
  4. If not built with DISABLE_DNSSEC, Exim now has the main option
-    dns_use_dnssec; if set to 1 then Exim will initialise the resolver library
+    dns_dnssec_ok; if set to 1 then Exim will initialise the resolver library
     to send the DO flag to your recursive resolver.  If you have a recursive
     resolver, which can set the Authenticated Data (AD) flag in results, Exim
-    can now detect this.
+    can now detect this.  Exim does not perform validation itself, instead
+    relying upon a trusted path to the resolver.
 
     Current status: work-in-progress; $sender_host_dnssec variable added.
 
diff --git a/src/src/dns.c b/src/src/dns.c
index 95db52686..820adff01 100644
--- a/src/src/dns.c
+++ b/src/src/dns.c
@@ -206,28 +206,28 @@ if (dns_use_edns0 >= 0)
 #  ifndef RES_USE_EDNS0
 #   error Have RES_USE_DNSSEC but not RES_USE_EDNS0?  Something hinky ...
 #  endif
-if (dns_use_dnssec >= 0)
+if (dns_dnssec_ok >= 0)
   {
-  if (dns_use_edns0 == 0 && dns_use_dnssec != 0)
+  if (dns_use_edns0 == 0 && dns_dnssec_ok != 0)
     {
     DEBUG(D_resolver)
-      debug_printf("CONFLICT: dns_use_edns0 forced false, dns_use_dnssec forced true!\n");
+      debug_printf("CONFLICT: dns_use_edns0 forced false, dns_dnssec_ok forced true, ignoring latter!\n");
     }
   else
     {
-    if (dns_use_dnssec)
+    if (dns_dnssec_ok)
       resp->options |= RES_USE_DNSSEC;
     else
       resp->options &= ~RES_USE_DNSSEC;
     DEBUG(D_resolver) debug_printf("Coerced resolver DNSSEC support %s.\n",
-        dns_use_dnssec ? "on" : "off");
+        dns_dnssec_ok ? "on" : "off");
     }
   }
 # else
-if (dns_use_dnssec >= 0)
+if (dns_dnssec_ok >= 0)
   DEBUG(D_resolver)
     debug_printf("Unable to %sset DNSSEC without resolver support.\n",
-        dns_use_dnssec ? "" : "un");
+        dns_dnssec_ok ? "" : "un");
 # endif
 #endif /* DISABLE_DNSSEC */
 
diff --git a/src/src/globals.c b/src/src/globals.c
index 5db858bfc..a4898fe3f 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -597,7 +597,7 @@ BOOL    dns_csa_use_reverse    = TRUE;
 uschar *dns_ipv4_lookup        = NULL;
 int     dns_retrans            = 0;
 int     dns_retry              = 0;
-int     dns_use_dnssec         = -1; /* <0 = not coerced */
+int     dns_dnssec_ok          = -1; /* <0 = not coerced */
 int     dns_use_edns0          = -1; /* <0 = not coerced */
 uschar *dnslist_domain         = NULL;
 uschar *dnslist_matched        = NULL;
diff --git a/src/src/globals.h b/src/src/globals.h
index 8d83be710..df6132266 100644
--- a/src/src/globals.h
+++ b/src/src/globals.h
@@ -353,7 +353,7 @@ extern BOOL    dns_csa_use_reverse;    /* Check CSA in reverse DNS? (non-standar
 extern uschar *dns_ipv4_lookup;        /* For these domains, don't look for AAAA (or A6) */
 extern int     dns_retrans;            /* Retransmission time setting */
 extern int     dns_retry;              /* Number of retries */
-extern int     dns_use_dnssec;         /* When constructing DNS query, set DO flag */
+extern int     dns_dnssec_ok;          /* When constructing DNS query, set DO flag */
 extern int     dns_use_edns0;          /* Coerce EDNS0 support on/off in resolver. */
 extern uschar *dnslist_domain;         /* DNS (black) list domain */
 extern uschar *dnslist_matched;        /* DNS (black) list matched key */
diff --git a/src/src/readconf.c b/src/src/readconf.c
index bba532594..77836d157 100644
--- a/src/src/readconf.c
+++ b/src/src/readconf.c
@@ -219,7 +219,7 @@ static optionlist optionlist_config[] = {
   { "dns_ipv4_lookup",          opt_stringptr,   &dns_ipv4_lookup },
   { "dns_retrans",              opt_time,        &dns_retrans },
   { "dns_retry",                opt_int,         &dns_retry },
-  { "dns_use_dnssec",           opt_int,         &dns_use_dnssec },
+  { "dns_dnssec_ok",            opt_int,         &dns_dnssec_ok },
   { "dns_use_edns0",            opt_int,         &dns_use_edns0 },
  /* This option is now a no-op, retained for compability */
   { "drop_cr",                  opt_bool,        &drop_cr },
-- 
2.25.1