[exim-cvs] Rename dns_use_dnssec to dns_dnssec_ok.

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Exim Git Commits Mailing List
Datum:  
To: exim-cvs
Betreff: [exim-cvs] Rename dns_use_dnssec to dns_dnssec_ok.
Gitweb: http://git.exim.org/exim.git/commitdiff/0fbd9bff71b47e3a32e54629c3f67e7eda1812fe
Commit:     0fbd9bff71b47e3a32e54629c3f67e7eda1812fe
Parent:     26e72755c101f59e24735e9ca9a320d5f1ebc2b7
Author:     Phil Pennock <pdp@???>
AuthorDate: Sat Mar 23 19:46:22 2013 -0400
Committer:  Phil Pennock <pdp@???>
CommitDate: Sat Mar 23 19:46:22 2013 -0400


    Rename dns_use_dnssec to dns_dnssec_ok.


    This per Tony's suggestion; this makes it clearer that we are merely
    setting resolver flags, not performing validation ourselves.


    Well, clearer to those who understand DNSSEC.  For everyone else,
    they'll still be dependent upon a forthcoming new chapter to the
    Specification.
---
 doc/doc-txt/ChangeLog |    4 ++++
 doc/doc-txt/NewStuff  |    5 +++--
 src/src/dns.c         |   14 +++++++-------
 src/src/globals.c     |    2 +-
 src/src/globals.h     |    2 +-
 src/src/readconf.c    |    2 +-
 6 files changed, 17 insertions(+), 12 deletions(-)


diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index a2e204d..abaee56 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -181,6 +181,10 @@ PP/18 OpenSSL made graceful with empty tls_verify_certificates setting.
       unset was to force an expansion failure.  That still works, and
       an empty string is now equivalent.


+PP/19 Renamed DNSSEC-enabling option to "dns_dnssec_ok", to make it
+      clearer that Exim is using the DO (DNSSEC OK) EDNS0 resolver flag,
+      not performing validation itself.
+


 Exim version 4.80.1
 -------------------
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index 47c5f6f..ab8589e 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -32,10 +32,11 @@ Version 4.82
     Unless you really know what you are doing, leave it alone.


  4. If not built with DISABLE_DNSSEC, Exim now has the main option
-    dns_use_dnssec; if set to 1 then Exim will initialise the resolver library
+    dns_dnssec_ok; if set to 1 then Exim will initialise the resolver library
     to send the DO flag to your recursive resolver.  If you have a recursive
     resolver, which can set the Authenticated Data (AD) flag in results, Exim
-    can now detect this.
+    can now detect this.  Exim does not perform validation itself, instead
+    relying upon a trusted path to the resolver.


     Current status: work-in-progress; $sender_host_dnssec variable added.


diff --git a/src/src/dns.c b/src/src/dns.c
index 95db526..820adff 100644
--- a/src/src/dns.c
+++ b/src/src/dns.c
@@ -206,28 +206,28 @@ if (dns_use_edns0 >= 0)
 #  ifndef RES_USE_EDNS0
 #   error Have RES_USE_DNSSEC but not RES_USE_EDNS0?  Something hinky ...
 #  endif
-if (dns_use_dnssec >= 0)
+if (dns_dnssec_ok >= 0)
   {
-  if (dns_use_edns0 == 0 && dns_use_dnssec != 0)
+  if (dns_use_edns0 == 0 && dns_dnssec_ok != 0)
     {
     DEBUG(D_resolver)
-      debug_printf("CONFLICT: dns_use_edns0 forced false, dns_use_dnssec forced true!\n");
+      debug_printf("CONFLICT: dns_use_edns0 forced false, dns_dnssec_ok forced true, ignoring latter!\n");
     }
   else
     {
-    if (dns_use_dnssec)
+    if (dns_dnssec_ok)
       resp->options |= RES_USE_DNSSEC;
     else
       resp->options &= ~RES_USE_DNSSEC;
     DEBUG(D_resolver) debug_printf("Coerced resolver DNSSEC support %s.\n",
-        dns_use_dnssec ? "on" : "off");
+        dns_dnssec_ok ? "on" : "off");
     }
   }
 # else
-if (dns_use_dnssec >= 0)
+if (dns_dnssec_ok >= 0)
   DEBUG(D_resolver)
     debug_printf("Unable to %sset DNSSEC without resolver support.\n",
-        dns_use_dnssec ? "" : "un");
+        dns_dnssec_ok ? "" : "un");
 # endif
 #endif /* DISABLE_DNSSEC */


diff --git a/src/src/globals.c b/src/src/globals.c
index 5db858b..a4898fe 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -597,7 +597,7 @@ BOOL    dns_csa_use_reverse    = TRUE;
 uschar *dns_ipv4_lookup        = NULL;
 int     dns_retrans            = 0;
 int     dns_retry              = 0;
-int     dns_use_dnssec         = -1; /* <0 = not coerced */
+int     dns_dnssec_ok          = -1; /* <0 = not coerced */
 int     dns_use_edns0          = -1; /* <0 = not coerced */
 uschar *dnslist_domain         = NULL;
 uschar *dnslist_matched        = NULL;
diff --git a/src/src/globals.h b/src/src/globals.h
index 8d83be7..df61322 100644
--- a/src/src/globals.h
+++ b/src/src/globals.h
@@ -353,7 +353,7 @@ extern BOOL    dns_csa_use_reverse;    /* Check CSA in reverse DNS? (non-standar
 extern uschar *dns_ipv4_lookup;        /* For these domains, don't look for AAAA (or A6) */
 extern int     dns_retrans;            /* Retransmission time setting */
 extern int     dns_retry;              /* Number of retries */
-extern int     dns_use_dnssec;         /* When constructing DNS query, set DO flag */
+extern int     dns_dnssec_ok;          /* When constructing DNS query, set DO flag */
 extern int     dns_use_edns0;          /* Coerce EDNS0 support on/off in resolver. */
 extern uschar *dnslist_domain;         /* DNS (black) list domain */
 extern uschar *dnslist_matched;        /* DNS (black) list matched key */
diff --git a/src/src/readconf.c b/src/src/readconf.c
index bba5325..77836d1 100644
--- a/src/src/readconf.c
+++ b/src/src/readconf.c
@@ -219,7 +219,7 @@ static optionlist optionlist_config[] = {
   { "dns_ipv4_lookup",          opt_stringptr,   &dns_ipv4_lookup },
   { "dns_retrans",              opt_time,        &dns_retrans },
   { "dns_retry",                opt_int,         &dns_retry },
-  { "dns_use_dnssec",           opt_int,         &dns_use_dnssec },
+  { "dns_dnssec_ok",            opt_int,         &dns_dnssec_ok },
   { "dns_use_edns0",            opt_int,         &dns_use_edns0 },
  /* This option is now a no-op, retained for compability */
   { "drop_cr",                  opt_bool,        &drop_cr },