From 99c1bb4ed9d99c7b0f615750c37884d7a7f9aa0d Mon Sep 17 00:00:00 2001 From: "Heiko Schlittermann (HS12)" Date: Thu, 9 Apr 2015 17:30:58 +0200 Subject: [PATCH] Make dnssec_request_domains/dnssec_require_domains generic Not only the dnslookup router should use DNSSEC for lookups. The manualroute and even queryprogram router may just generate a host list. The names then need to be resolved, optionally via DNSSEC. --- doc/doc-docbook/spec.xfpt | 41 +++++++++++++--------------- doc/doc-txt/ChangeLog | 2 ++ src/src/globals.c | 5 +++- src/src/route.c | 4 +++ src/src/routers/dnslookup.c | 8 +----- src/src/routers/dnslookup.h | 2 -- src/src/routers/rf_lookup_hostlist.c | 7 +++-- src/src/structs.h | 2 ++ test/stdout/0147 | 2 ++ test/stdout/0442 | 2 ++ 10 files changed, 40 insertions(+), 35 deletions(-) diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index f274db74e..bd1c8bfdd 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -17018,6 +17018,25 @@ or for any deliveries caused by this router. You should not set this option unless you really, really know what you are doing. See also the generic transport option of the same name. +.option dnssec_request_domains routers "domain list&!!" unset +.cindex "MX record" "security" +.cindex "DNSSEC" "MX lookup" +.cindex "security" "MX lookup" +.cindex "DNS" "DNSSEC" +DNS lookups for domains matching &%dnssec_request_domains%& will be done with +the dnssec request bit set. +This applies to all of the SRV, MX, AAAA, A lookup sequence. + +.option dnssec_require_domains routers "domain list&!!" unset +.cindex "MX record" "security" +.cindex "DNSSEC" "MX lookup" +.cindex "security" "MX lookup" +.cindex "DNS" "DNSSEC" +DNS lookups for domains matching &%dnssec_request_domains%& will be done with +the dnssec request bit set. Any returns not having the Authenticated Data bit +(AD bit) set wil be ignored and logged as a host-lookup failure. +This applies to all of the SRV, MX, AAAA, A lookup sequence. + .option domains routers&!? "domain list&!!" unset .cindex "router" "restricting to specific domains" @@ -18070,28 +18089,6 @@ when there is a DNS lookup error. -.option dnssec_request_domains dnslookup "domain list&!!" unset -.cindex "MX record" "security" -.cindex "DNSSEC" "MX lookup" -.cindex "security" "MX lookup" -.cindex "DNS" "DNSSEC" -DNS lookups for domains matching &%dnssec_request_domains%& will be done with -the dnssec request bit set. -This applies to all of the SRV, MX, AAAA, A lookup sequence. - - - -.option dnssec_require_domains dnslookup "domain list&!!" unset -.cindex "MX record" "security" -.cindex "DNSSEC" "MX lookup" -.cindex "security" "MX lookup" -.cindex "DNS" "DNSSEC" -DNS lookups for domains matching &%dnssec_request_domains%& will be done with -the dnssec request bit set. Any returns not having the Authenticated Data bit -(AD bit) set wil be ignored and logged as a host-lookup failure. -This applies to all of the SRV, MX, AAAA, A lookup sequence. - - .option fail_defer_domains dnslookup "domain list&!!" unset .cindex "MX record" "not found" diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index c0a965eeb..2421bab45 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -83,6 +83,8 @@ JH/23 Bug 1572: Increase limit on SMTP confirmation message copy size JH/24 Verification callouts now attempt to use TLS by default. +HS/01 DNSSEC options (dnssec_require_domains, dnssec_request_domains) + are generic router options now. The defaults didn't change. Exim version 4.85 diff --git a/src/src/globals.c b/src/src/globals.c index a71c80ed9..868b27e83 100644 --- a/src/src/globals.c +++ b/src/src/globals.c @@ -1168,7 +1168,10 @@ router_instance router_defaults = { NULL, /* fallback_hostlist */ NULL, /* transport instance */ NULL, /* pass_router */ - NULL /* redirect_router */ + NULL, /* redirect_router */ + + NULL, /* dnssec_request_domains */ + NULL /* dnssec_require_domains */ }; uschar *router_name = NULL; diff --git a/src/src/route.c b/src/src/route.c index ec188801c..2f534b7bf 100644 --- a/src/src/route.c +++ b/src/src/route.c @@ -54,6 +54,10 @@ optionlist optionlist_routers[] = { (void *)offsetof(router_instance, debug_string) }, { "disable_logging", opt_bool | opt_public, (void *)offsetof(router_instance, disable_logging) }, + { "dnssec_request_domains", opt_stringptr|opt_public, + (void *)offsetof(router_instance, dnssec_request_domains) }, + { "dnssec_require_domains", opt_stringptr|opt_public, + (void *)offsetof(router_instance, dnssec_require_domains) }, { "domains", opt_stringptr|opt_public, (void *)offsetof(router_instance, domains) }, { "driver", opt_stringptr|opt_public, diff --git a/src/src/routers/dnslookup.c b/src/src/routers/dnslookup.c index 650e56d33..69b240428 100644 --- a/src/src/routers/dnslookup.c +++ b/src/src/routers/dnslookup.c @@ -18,10 +18,6 @@ optionlist dnslookup_router_options[] = { (void *)(offsetof(dnslookup_router_options_block, check_secondary_mx)) }, { "check_srv", opt_stringptr, (void *)(offsetof(dnslookup_router_options_block, check_srv)) }, - { "dnssec_request_domains", opt_stringptr, - (void *)(offsetof(dnslookup_router_options_block, dnssec_request_domains)) }, - { "dnssec_require_domains", opt_stringptr, - (void *)(offsetof(dnslookup_router_options_block, dnssec_require_domains)) }, { "fail_defer_domains", opt_stringptr, (void *)(offsetof(dnslookup_router_options_block, fail_defer_domains)) }, { "mx_domains", opt_stringptr, @@ -60,8 +56,6 @@ dnslookup_router_options_block dnslookup_router_option_defaults = { NULL, /* mx_fail_domains */ NULL, /* srv_fail_domains */ NULL, /* check_srv */ - NULL, /* dnssec_request_domains */ - NULL, /* dnssec_require_domains */ NULL /* fail_defer_domains */ }; @@ -271,7 +265,7 @@ for (;;) rc = host_find_bydns(&h, CUS rblock->ignore_target_hosts, flags, srv_service, ob->srv_fail_domains, ob->mx_fail_domains, - ob->dnssec_request_domains, ob->dnssec_require_domains, + rblock->dnssec_request_domains, rblock->dnssec_require_domains, &fully_qualified_name, &removed); if (removed) setflag(addr, af_local_host_removed); diff --git a/src/src/routers/dnslookup.h b/src/src/routers/dnslookup.h index 907ff0ce3..af01d5611 100644 --- a/src/src/routers/dnslookup.h +++ b/src/src/routers/dnslookup.h @@ -17,8 +17,6 @@ typedef struct { uschar *mx_fail_domains; uschar *srv_fail_domains; uschar *check_srv; - uschar *dnssec_request_domains; - uschar *dnssec_require_domains; uschar *fail_defer_domains; } dnslookup_router_options_block; diff --git a/src/src/routers/rf_lookup_hostlist.c b/src/src/routers/rf_lookup_hostlist.c index ab2e4ec2c..7ff7f45e1 100644 --- a/src/src/routers/rf_lookup_hostlist.c +++ b/src/src/routers/rf_lookup_hostlist.c @@ -94,8 +94,8 @@ for (h = addr->host_list; h != NULL; h = next_h) NULL, /* SRV service not relevant */ NULL, /* failing srv domains not relevant */ NULL, /* no special mx failing domains */ - NULL, /* no dnssec request XXX ? */ - NULL, /* no dnssec require XXX ? */ + rblock->dnssec_request_domains, /* no dnssec request XXX ? */ + rblock->dnssec_require_domains, /* no dnssec require XXX ? */ NULL, /* fully_qualified_name */ NULL); /* indicate local host removed */ } @@ -120,7 +120,8 @@ for (h = addr->host_list; h != NULL; h = next_h) DEBUG(D_route|D_host_lookup) debug_printf("doing DNS lookup\n"); rc = host_find_bydns(h, ignore_target_hosts, HOST_FIND_BY_A, NULL, NULL, NULL, - NULL, NULL, /*XXX dnssec? */ + rblock->dnssec_request_domains, /* no dnssec request XXX ? */ + rblock->dnssec_require_domains, /* no dnssec require XXX ? */ &canonical_name, &removed); if (rc == HOST_FOUND) { diff --git a/src/src/structs.h b/src/src/structs.h index c181f3f6e..3f9fb6050 100644 --- a/src/src/structs.h +++ b/src/src/structs.h @@ -296,6 +296,8 @@ typedef struct router_instance { transport_instance *transport; /* Transport block (when found) */ struct router_instance *pass_router; /* Actual router for passed address */ struct router_instance *redirect_router; /* Actual router for generated address */ + uschar *dnssec_request_domains; /* ask for DNSSEC XXX */ + uschar *dnssec_require_domains; /* require DNSSEC XXX */ } router_instance; diff --git a/test/stdout/0147 b/test/stdout/0147 index b877c6110..45e48244b 100644 --- a/test/stdout/0147 +++ b/test/stdout/0147 @@ -23,6 +23,8 @@ no_check_local_user condition = debug_print = no_disable_logging +dnssec_request_domains = +dnssec_require_domains = domains = driver = accept no_dsn_lasthop diff --git a/test/stdout/0442 b/test/stdout/0442 index b47d7b31b..34c6510fd 100644 --- a/test/stdout/0442 +++ b/test/stdout/0442 @@ -8,6 +8,8 @@ no_check_local_user condition = debug_print = no_disable_logging +dnssec_request_domains = +dnssec_require_domains = domains = driver = accept no_dsn_lasthop -- 2.25.1