Gitweb:
http://git.exim.org/exim.git/commitdiff/99c1bb4ed9d99c7b0f615750c37884d7a7f9aa0d
Commit: 99c1bb4ed9d99c7b0f615750c37884d7a7f9aa0d
Parent: 8d42c8364882bf2d743a5b876d6df741b6d67e40
Author: Heiko Schlittermann (HS12) <hs@???>
AuthorDate: Thu Apr 9 17:30:58 2015 +0200
Committer: Heiko Schlittermann (HS12) <hs@???>
CommitDate: Sat Apr 25 22:39:39 2015 +0200
Make dnssec_request_domains/dnssec_require_domains generic
Not only the dnslookup router should use DNSSEC for lookups. The
manualroute and even queryprogram router may just generate a host list.
The names then need to be resolved, optionally via DNSSEC.
---
doc/doc-docbook/spec.xfpt | 41 +++++++++++++++------------------
doc/doc-txt/ChangeLog | 2 +
src/src/globals.c | 5 +++-
src/src/route.c | 4 +++
src/src/routers/dnslookup.c | 8 +-----
src/src/routers/dnslookup.h | 2 -
src/src/routers/rf_lookup_hostlist.c | 7 +++--
src/src/structs.h | 2 +
test/stdout/0147 | 2 +
test/stdout/0442 | 2 +
10 files changed, 40 insertions(+), 35 deletions(-)
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index f274db7..bd1c8bf 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -17018,6 +17018,25 @@ or for any deliveries caused by this router. You should not set this option
unless you really, really know what you are doing. See also the generic
transport option of the same name.
+.option dnssec_request_domains routers "domain list&!!" unset
+.cindex "MX record" "security"
+.cindex "DNSSEC" "MX lookup"
+.cindex "security" "MX lookup"
+.cindex "DNS" "DNSSEC"
+DNS lookups for domains matching &%dnssec_request_domains%& will be done with
+the dnssec request bit set.
+This applies to all of the SRV, MX, AAAA, A lookup sequence.
+
+.option dnssec_require_domains routers "domain list&!!" unset
+.cindex "MX record" "security"
+.cindex "DNSSEC" "MX lookup"
+.cindex "security" "MX lookup"
+.cindex "DNS" "DNSSEC"
+DNS lookups for domains matching &%dnssec_request_domains%& will be done with
+the dnssec request bit set. Any returns not having the Authenticated Data bit
+(AD bit) set wil be ignored and logged as a host-lookup failure.
+This applies to all of the SRV, MX, AAAA, A lookup sequence.
+
.option domains routers&!? "domain list&!!" unset
.cindex "router" "restricting to specific domains"
@@ -18070,28 +18089,6 @@ when there is a DNS lookup error.
-.option dnssec_request_domains dnslookup "domain list&!!" unset
-.cindex "MX record" "security"
-.cindex "DNSSEC" "MX lookup"
-.cindex "security" "MX lookup"
-.cindex "DNS" "DNSSEC"
-DNS lookups for domains matching &%dnssec_request_domains%& will be done with
-the dnssec request bit set.
-This applies to all of the SRV, MX, AAAA, A lookup sequence.
-
-
-
-.option dnssec_require_domains dnslookup "domain list&!!" unset
-.cindex "MX record" "security"
-.cindex "DNSSEC" "MX lookup"
-.cindex "security" "MX lookup"
-.cindex "DNS" "DNSSEC"
-DNS lookups for domains matching &%dnssec_request_domains%& will be done with
-the dnssec request bit set. Any returns not having the Authenticated Data bit
-(AD bit) set wil be ignored and logged as a host-lookup failure.
-This applies to all of the SRV, MX, AAAA, A lookup sequence.
-
-
.option fail_defer_domains dnslookup "domain list&!!" unset
.cindex "MX record" "not found"
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index c0a965e..2421bab 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -83,6 +83,8 @@ JH/23 Bug 1572: Increase limit on SMTP confirmation message copy size
JH/24 Verification callouts now attempt to use TLS by default.
+HS/01 DNSSEC options (dnssec_require_domains, dnssec_request_domains)
+ are generic router options now. The defaults didn't change.
Exim version 4.85
diff --git a/src/src/globals.c b/src/src/globals.c
index a71c80e..868b27e 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -1168,7 +1168,10 @@ router_instance router_defaults = {
NULL, /* fallback_hostlist */
NULL, /* transport instance */
NULL, /* pass_router */
- NULL /* redirect_router */
+ NULL, /* redirect_router */
+
+ NULL, /* dnssec_request_domains */
+ NULL /* dnssec_require_domains */
};
uschar *router_name = NULL;
diff --git a/src/src/route.c b/src/src/route.c
index ec18880..2f534b7 100644
--- a/src/src/route.c
+++ b/src/src/route.c
@@ -54,6 +54,10 @@ optionlist optionlist_routers[] = {
(void *)offsetof(router_instance, debug_string) },
{ "disable_logging", opt_bool | opt_public,
(void *)offsetof(router_instance, disable_logging) },
+ { "dnssec_request_domains", opt_stringptr|opt_public,
+ (void *)offsetof(router_instance, dnssec_request_domains) },
+ { "dnssec_require_domains", opt_stringptr|opt_public,
+ (void *)offsetof(router_instance, dnssec_require_domains) },
{ "domains", opt_stringptr|opt_public,
(void *)offsetof(router_instance, domains) },
{ "driver", opt_stringptr|opt_public,
diff --git a/src/src/routers/dnslookup.c b/src/src/routers/dnslookup.c
index 650e56d..69b2404 100644
--- a/src/src/routers/dnslookup.c
+++ b/src/src/routers/dnslookup.c
@@ -18,10 +18,6 @@ optionlist dnslookup_router_options[] = {
(void *)(offsetof(dnslookup_router_options_block, check_secondary_mx)) },
{ "check_srv", opt_stringptr,
(void *)(offsetof(dnslookup_router_options_block, check_srv)) },
- { "dnssec_request_domains", opt_stringptr,
- (void *)(offsetof(dnslookup_router_options_block, dnssec_request_domains)) },
- { "dnssec_require_domains", opt_stringptr,
- (void *)(offsetof(dnslookup_router_options_block, dnssec_require_domains)) },
{ "fail_defer_domains", opt_stringptr,
(void *)(offsetof(dnslookup_router_options_block, fail_defer_domains)) },
{ "mx_domains", opt_stringptr,
@@ -60,8 +56,6 @@ dnslookup_router_options_block dnslookup_router_option_defaults = {
NULL, /* mx_fail_domains */
NULL, /* srv_fail_domains */
NULL, /* check_srv */
- NULL, /* dnssec_request_domains */
- NULL, /* dnssec_require_domains */
NULL /* fail_defer_domains */
};
@@ -271,7 +265,7 @@ for (;;)
rc = host_find_bydns(&h, CUS rblock->ignore_target_hosts, flags, srv_service,
ob->srv_fail_domains, ob->mx_fail_domains,
- ob->dnssec_request_domains, ob->dnssec_require_domains,
+ rblock->dnssec_request_domains, rblock->dnssec_require_domains,
&fully_qualified_name, &removed);
if (removed) setflag(addr, af_local_host_removed);
diff --git a/src/src/routers/dnslookup.h b/src/src/routers/dnslookup.h
index 907ff0c..af01d56 100644
--- a/src/src/routers/dnslookup.h
+++ b/src/src/routers/dnslookup.h
@@ -17,8 +17,6 @@ typedef struct {
uschar *mx_fail_domains;
uschar *srv_fail_domains;
uschar *check_srv;
- uschar *dnssec_request_domains;
- uschar *dnssec_require_domains;
uschar *fail_defer_domains;
} dnslookup_router_options_block;
diff --git a/src/src/routers/rf_lookup_hostlist.c b/src/src/routers/rf_lookup_hostlist.c
index ab2e4ec..7ff7f45 100644
--- a/src/src/routers/rf_lookup_hostlist.c
+++ b/src/src/routers/rf_lookup_hostlist.c
@@ -94,8 +94,8 @@ for (h = addr->host_list; h != NULL; h = next_h)
NULL, /* SRV service not relevant */
NULL, /* failing srv domains not relevant */
NULL, /* no special mx failing domains */
- NULL, /* no dnssec request XXX ? */
- NULL, /* no dnssec require XXX ? */
+ rblock->dnssec_request_domains, /* no dnssec request XXX ? */
+ rblock->dnssec_require_domains, /* no dnssec require XXX ? */
NULL, /* fully_qualified_name */
NULL); /* indicate local host removed */
}
@@ -120,7 +120,8 @@ for (h = addr->host_list; h != NULL; h = next_h)
DEBUG(D_route|D_host_lookup) debug_printf("doing DNS lookup\n");
rc = host_find_bydns(h, ignore_target_hosts, HOST_FIND_BY_A, NULL, NULL,
NULL,
- NULL, NULL, /*XXX dnssec? */
+ rblock->dnssec_request_domains, /* no dnssec request XXX ? */
+ rblock->dnssec_require_domains, /* no dnssec require XXX ? */
&canonical_name, &removed);
if (rc == HOST_FOUND)
{
diff --git a/src/src/structs.h b/src/src/structs.h
index c181f3f..3f9fb60 100644
--- a/src/src/structs.h
+++ b/src/src/structs.h
@@ -296,6 +296,8 @@ typedef struct router_instance {
transport_instance *transport; /* Transport block (when found) */
struct router_instance *pass_router; /* Actual router for passed address */
struct router_instance *redirect_router; /* Actual router for generated address */
+ uschar *dnssec_request_domains; /* ask for DNSSEC XXX */
+ uschar *dnssec_require_domains; /* require DNSSEC XXX */
} router_instance;
diff --git a/test/stdout/0147 b/test/stdout/0147
index b877c61..45e4824 100644
--- a/test/stdout/0147
+++ b/test/stdout/0147
@@ -23,6 +23,8 @@ no_check_local_user
condition =
debug_print =
no_disable_logging
+dnssec_request_domains =
+dnssec_require_domains =
domains =
driver = accept
no_dsn_lasthop
diff --git a/test/stdout/0442 b/test/stdout/0442
index b47d7b3..34c6510 100644
--- a/test/stdout/0442
+++ b/test/stdout/0442
@@ -8,6 +8,8 @@ no_check_local_user
condition =
debug_print =
no_disable_logging
+dnssec_request_domains =
+dnssec_require_domains =
domains =
driver = accept
no_dsn_lasthop
