ph10 2006/11/20 13:53:44 GMT
Modified files:
exim-doc/doc-txt ChangeLog
exim-src/src dns.c
Log:
Lock out "A-for-A" DNS lookups.
Revision Changes Path
1.438 +6 -0 exim/exim-doc/doc-txt/ChangeLog
1.16 +15 -1 exim/exim-src/src/dns.c
Index: ChangeLog
===================================================================
RCS file: /home/cvs/exim/exim-doc/doc-txt/ChangeLog,v
retrieving revision 1.437
retrieving revision 1.438
diff -u -r1.437 -r1.438
--- ChangeLog 20 Nov 2006 11:57:56 -0000 1.437
+++ ChangeLog 20 Nov 2006 13:53:44 -0000 1.438
@@ -1,4 +1,4 @@
-$Cambridge: exim/exim-doc/doc-txt/ChangeLog,v 1.437 2006/11/20 11:57:56 ph10 Exp $
+$Cambridge: exim/exim-doc/doc-txt/ChangeLog,v 1.438 2006/11/20 13:53:44 ph10 Exp $
Change log file for Exim from version 4.21
-------------------------------------------
@@ -324,6 +324,12 @@
to match changes made in 4.64-PH/43
PH/46 Applied Jori Hamalainen's patch to add features to exiqsumm.
+
+PH/47 Put in an explicit test for a DNS lookup of an address record where the
+ "domain" is actually an IP address, and force a failure. This locks out
+ those revolvers/nameservers that support "A-for-A" lookups, in
+ contravention of the specifications.
+
Index: dns.c
===================================================================
RCS file: /home/cvs/exim/exim-src/src/dns.c,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- dns.c 7 Nov 2006 14:13:19 -0000 1.15
+++ dns.c 20 Nov 2006 13:53:44 -0000 1.16
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/exim-src/src/dns.c,v 1.15 2006/11/07 14:13:19 ph10 Exp $ */
+/* $Cambridge: exim/exim-src/src/dns.c,v 1.16 2006/11/20 13:53:44 ph10 Exp $ */
/*************************************************
* Exim - an Internet mail transport agent *
@@ -453,6 +453,7 @@
Returns: DNS_SUCCEED successful lookup
DNS_NOMATCH name not found (NXDOMAIN)
or name contains illegal characters (if checking)
+ or name is an IP address (for IP address lookup)
DNS_NODATA domain exists, but no data for this type (NODATA)
DNS_AGAIN soft failure, try again later
DNS_FAIL DNS failure
@@ -539,7 +540,20 @@
number of bytes the message would need, so we need to check for this case. The
effect is to truncate overlong data.
-If we are running in the test harness, instead of calling the normal resolver
+On some systems, res_search() will recognize "A-for-A" queries and return
+the IP address instead of returning -1 with h_error=HOST_NOT_FOUND. Some
+nameservers are also believed to do this. It is, of course, contrary to the
+specification of the DNS, so we lock it out. */
+
+if ((
+ #ifdef SUPPORT_A6
+ type == T_A6 ||
+ #endif
+ type == T_A || type == T_AAAA) &&
+ string_is_ip_address(name, NULL) != 0)
+ return DNS_NOMATCH;
+
+/* If we are running in the test harness, instead of calling the normal resolver
(res_search), we call fakens_search(), which recognizes certain special
domains, and interfaces to a fake nameserver for certain special zones. */
