Re: [exim-dev] DNSSEC / log spam

Góra strony
Delete this message
Reply to this message
Autor: Viktor Dukhovni
Data:  
Dla: exim-dev
Temat: Re: [exim-dev] DNSSEC / log spam
On Fri, Jun 29, 2018 at 09:54:17PM -0400, Phil Pennock via Exim-dev wrote:

> >
> > Jun 29 20:12:53 thebighonker exim[37649]: gethostby*.gethostanswer: asked for "borg.lerctr.org IN AAAA", got type "RRSIG"
> > Jun 29 20:12:53 thebighonker exim[37649]: gethostby*.gethostanswer: asked for "borg.lerctr.org IN A", got type "RRSIG"
>
> Those messages are being generated by libc, so although it's from the
> Exim process, it's not from the Exim codebase.
>
> AFAIK there's nothing we can do from our side, as long as going through
> that interface.


Postfix does not log such messages. The reason is that Postfix only sets
the RES_DNSSEC and RES_EDNS0 options briefly while performing its own
explicit DNS lookups, and restores the original resolver flags when the
lookup is done.

IIRC, Exim sets the flags once, and they persist even for lookups
made elsewhere in libc. So there is a potential solution, if you're
willing to change how manage _res.options. In Postfix certain
options are saved and then cleared, the Postfix desired values for
the Postfix lookup are set, the lookup is done, and then the options
are reverted:

    ...
        _res.options &= ~saved_options;
        _res.options |= flags;
    len = dns_res_search((char *) name, C_IN, type, reply->buf,
                 reply->buf_len, keep_notfound);
        _res.options &= ~flags;
        _res.options |= saved_options;
    ...


The saved options are:

    (RES_DEBUG | RES_DNSRCH | RES_DEFNAMES | RES_USE_DNSSEC | RES_USE_EDNS0)


The flags being set temporarily must be a subset of these.

-- 
    Viktor.