Gitweb:
http://git.exim.org/exim.git/commitdiff/0fbd9bff71b47e3a32e54629c3f67e7eda1812fe
Commit: 0fbd9bff71b47e3a32e54629c3f67e7eda1812fe
Parent: 26e72755c101f59e24735e9ca9a320d5f1ebc2b7
Author: Phil Pennock <pdp@???>
AuthorDate: Sat Mar 23 19:46:22 2013 -0400
Committer: Phil Pennock <pdp@???>
CommitDate: Sat Mar 23 19:46:22 2013 -0400
Rename dns_use_dnssec to dns_dnssec_ok.
This per Tony's suggestion; this makes it clearer that we are merely
setting resolver flags, not performing validation ourselves.
Well, clearer to those who understand DNSSEC. For everyone else,
they'll still be dependent upon a forthcoming new chapter to the
Specification.
---
doc/doc-txt/ChangeLog | 4 ++++
doc/doc-txt/NewStuff | 5 +++--
src/src/dns.c | 14 +++++++-------
src/src/globals.c | 2 +-
src/src/globals.h | 2 +-
src/src/readconf.c | 2 +-
6 files changed, 17 insertions(+), 12 deletions(-)
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index a2e204d..abaee56 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -181,6 +181,10 @@ PP/18 OpenSSL made graceful with empty tls_verify_certificates setting.
unset was to force an expansion failure. That still works, and
an empty string is now equivalent.
+PP/19 Renamed DNSSEC-enabling option to "dns_dnssec_ok", to make it
+ clearer that Exim is using the DO (DNSSEC OK) EDNS0 resolver flag,
+ not performing validation itself.
+
Exim version 4.80.1
-------------------
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index 47c5f6f..ab8589e 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -32,10 +32,11 @@ Version 4.82
Unless you really know what you are doing, leave it alone.
4. If not built with DISABLE_DNSSEC, Exim now has the main option
- dns_use_dnssec; if set to 1 then Exim will initialise the resolver library
+ dns_dnssec_ok; if set to 1 then Exim will initialise the resolver library
to send the DO flag to your recursive resolver. If you have a recursive
resolver, which can set the Authenticated Data (AD) flag in results, Exim
- can now detect this.
+ can now detect this. Exim does not perform validation itself, instead
+ relying upon a trusted path to the resolver.
Current status: work-in-progress; $sender_host_dnssec variable added.
diff --git a/src/src/dns.c b/src/src/dns.c
index 95db526..820adff 100644
--- a/src/src/dns.c
+++ b/src/src/dns.c
@@ -206,28 +206,28 @@ if (dns_use_edns0 >= 0)
# ifndef RES_USE_EDNS0
# error Have RES_USE_DNSSEC but not RES_USE_EDNS0? Something hinky ...
# endif
-if (dns_use_dnssec >= 0)
+if (dns_dnssec_ok >= 0)
{
- if (dns_use_edns0 == 0 && dns_use_dnssec != 0)
+ if (dns_use_edns0 == 0 && dns_dnssec_ok != 0)
{
DEBUG(D_resolver)
- debug_printf("CONFLICT: dns_use_edns0 forced false, dns_use_dnssec forced true!\n");
+ debug_printf("CONFLICT: dns_use_edns0 forced false, dns_dnssec_ok forced true, ignoring latter!\n");
}
else
{
- if (dns_use_dnssec)
+ if (dns_dnssec_ok)
resp->options |= RES_USE_DNSSEC;
else
resp->options &= ~RES_USE_DNSSEC;
DEBUG(D_resolver) debug_printf("Coerced resolver DNSSEC support %s.\n",
- dns_use_dnssec ? "on" : "off");
+ dns_dnssec_ok ? "on" : "off");
}
}
# else
-if (dns_use_dnssec >= 0)
+if (dns_dnssec_ok >= 0)
DEBUG(D_resolver)
debug_printf("Unable to %sset DNSSEC without resolver support.\n",
- dns_use_dnssec ? "" : "un");
+ dns_dnssec_ok ? "" : "un");
# endif
#endif /* DISABLE_DNSSEC */
diff --git a/src/src/globals.c b/src/src/globals.c
index 5db858b..a4898fe 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -597,7 +597,7 @@ BOOL dns_csa_use_reverse = TRUE;
uschar *dns_ipv4_lookup = NULL;
int dns_retrans = 0;
int dns_retry = 0;
-int dns_use_dnssec = -1; /* <0 = not coerced */
+int dns_dnssec_ok = -1; /* <0 = not coerced */
int dns_use_edns0 = -1; /* <0 = not coerced */
uschar *dnslist_domain = NULL;
uschar *dnslist_matched = NULL;
diff --git a/src/src/globals.h b/src/src/globals.h
index 8d83be7..df61322 100644
--- a/src/src/globals.h
+++ b/src/src/globals.h
@@ -353,7 +353,7 @@ extern BOOL dns_csa_use_reverse; /* Check CSA in reverse DNS? (non-standar
extern uschar *dns_ipv4_lookup; /* For these domains, don't look for AAAA (or A6) */
extern int dns_retrans; /* Retransmission time setting */
extern int dns_retry; /* Number of retries */
-extern int dns_use_dnssec; /* When constructing DNS query, set DO flag */
+extern int dns_dnssec_ok; /* When constructing DNS query, set DO flag */
extern int dns_use_edns0; /* Coerce EDNS0 support on/off in resolver. */
extern uschar *dnslist_domain; /* DNS (black) list domain */
extern uschar *dnslist_matched; /* DNS (black) list matched key */
diff --git a/src/src/readconf.c b/src/src/readconf.c
index bba5325..77836d1 100644
--- a/src/src/readconf.c
+++ b/src/src/readconf.c
@@ -219,7 +219,7 @@ static optionlist optionlist_config[] = {
{ "dns_ipv4_lookup", opt_stringptr, &dns_ipv4_lookup },
{ "dns_retrans", opt_time, &dns_retrans },
{ "dns_retry", opt_int, &dns_retry },
- { "dns_use_dnssec", opt_int, &dns_use_dnssec },
+ { "dns_dnssec_ok", opt_int, &dns_dnssec_ok },
{ "dns_use_edns0", opt_int, &dns_use_edns0 },
/* This option is now a no-op, retained for compability */
{ "drop_cr", opt_bool, &drop_cr },