On Mon, Jan 27, 2014 at 03:55:06PM +0000, Viktor Dukhovni wrote:
> Step 1: DNSSEC support
> -----------------------
>
Finally, peeking at
http://git.exim.org/exim.git/blob/HEAD:/src/src/dns.c
I must admit that I don't understand the CNAME handling logic in
the dns_lookup() function. If it is not somewhat wrong, it probably
can be made less confusing.
A DNS reply can contain multiple CNAME records:
$ dig +noall +ans -t a www.paypal.com
www.paypal.com. 300 IN CNAME www.paypal.com.akadns.net.
www.paypal.com.akadns.net. 30 IN CNAME wlb.paypal.com.akadns.net.
wlb.paypal.com.akadns.net. 30 IN CNAME active-www.paypal.com.
active-www.paypal.com. 300 IN A 173.0.84.34
active-www.paypal.com. 300 IN A 173.0.88.34
active-www.paypal.com. 300 IN A 173.0.88.2
active-www.paypal.com. 300 IN A 173.0.84.2
It seems to me that the fully_qualified_name will be taken from
the left side of the last CNAME record in the reply (i.e. will be
"wlb.paypal.com.akadns.net"), which is probably not what's intended.
This is the function that will probably also need to capture the
"rname", which in this case is "active-
www.paypal.com", while the
"qname" (your fully_qualified_name I think) is "
www.paypal.com".
It will need to take a flags argument that temporarily sets and
before returning restores a subset of the resolver options.
It will likely be useful to return a linked list of extracted
results, rather than leave the caller to re-parse the raw answer
from the resolver. The digest algorithm agility logic for DANE and
processing of "unusable" records, ... will be easier if the reply
list can be manipulated to discard selected records.
Speaking of fully-qualified names, it is important that lookups
of MX records, MX hostnames (and later TLSA records) disable
RES_DEFNAMES and RES_DNSRCH. DNS names used with DANE need to be
"absolute". Thus "qname" MUST be equal to the lookup input name
for all the queries in question.
--
Viktor.
