[exim-cvs] Change the default of dnssec_request_domains to '…

Top Page
Delete this message
Reply to this message
Author: Exim Git Commits Mailing List
Date:  
To: exim-cvs
Subject: [exim-cvs] Change the default of dnssec_request_domains to '*'
Gitweb: https://git.exim.org/exim.git/commitdiff/ab0e957b09b73546a58b27fbce42569d56c1382b
Commit:     ab0e957b09b73546a58b27fbce42569d56c1382b
Parent:     86ede124f0ce622b4f73e05504abc11fece021e3
Author:     Heiko Schlittermann (HS12-RIPE) <hs@???>
AuthorDate: Fri Sep 27 03:42:46 2019 +0200
Committer:  Heiko Schlittermann (HS12-RIPE) <hs@???>
CommitDate: Fri Oct 18 10:43:55 2019 +0200


    Change the default of dnssec_request_domains to '*'
---
 doc/doc-docbook/spec.xfpt | 9 +++++----
 doc/doc-txt/ChangeLog     | 1 +
 src/src/configure.default | 3 ---
 src/src/globals.c         | 2 +-
 src/src/lookups/dnsdb.c   | 4 ++--
 src/src/transports/smtp.c | 2 +-
 6 files changed, 10 insertions(+), 11 deletions(-)


diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 6cfe0bf..da9d616 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -7331,7 +7331,7 @@ with the lookup.
With &"strict"& a response from the DNS resolver that
is not labelled as authenticated data
is treated as equivalent to a temporary DNS error.
-The default is &"never"&.
+The default is &"lax"&.

See also the &$lookup_dnssec_authenticated$& variable.

@@ -18382,7 +18382,7 @@ or for any deliveries caused by this router. You should not set this option
unless you really, really know what you are doing. See also the generic
transport option of the same name.

-.option dnssec_request_domains routers "domain list&!!" unset
+.option dnssec_request_domains routers "domain list&!!" *
.cindex "MX record" "security"
.cindex "DNSSEC" "MX lookup"
.cindex "security" "MX lookup"
@@ -24571,7 +24571,7 @@ See the &%search_parents%& option in chapter &<<CHAPdnslookup>>& for more
details.


-.option dnssec_request_domains smtp "domain list&!!" unset
+.option dnssec_request_domains smtp "domain list&!!" *
.cindex "MX record" "security"
.cindex "DNSSEC" "MX lookup"
.cindex "security" "MX lookup"
@@ -29055,7 +29055,8 @@ If DANE is requested and useable (see above) the following transport options are
If DANE is not usable, whether requested or not, and CA-anchored
verification evaluation is wanted, the above variables should be set appropriately.

-Currently the (router or transport options) &%dnssec_request_domains%& must be active and &%dnssec_require_domains%& is ignored.
+The router and transport option &%dnssec_request_domains%& must not be
+set to "never" and &%dnssec_require_domains%& is ignored.

If verification was successful using DANE then the "CV" item in the delivery log line will show as "CV=dane".

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 93f4a1e..7568d2e 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -192,6 +192,7 @@ JH/41 With GnuTLS 3.6.0 (and later) do not attempt to manage Diffie-Hellman
       function is unnecessary and discouraged on GnuTLS 3.6.0 or later. Since
       3.6.0, DH parameters are negotiated following RFC7919."


+HS/06 Change the default of dnssec_request_domains to "*"

Exim version 4.92
-----------------
diff --git a/src/src/configure.default b/src/src/configure.default
index 245cc39..8681499 100644
--- a/src/src/configure.default
+++ b/src/src/configure.default
@@ -690,9 +690,6 @@ dnslookup:
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
# if ipv6-enabled then instead use:
# ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1
-.ifdef _HAVE_DNSSEC
- dnssec_request_domains = *
-.endif
no_more

 # This closes the ROUTER_SMARTHOST ifdef around the choice of routing for
diff --git a/src/src/globals.c b/src/src/globals.c
index 24281f2..677c03e 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -1362,7 +1362,7 @@ router_instance  router_defaults = {
     .pass_router =        NULL,
     .redirect_router =        NULL,


-    .dnssec =            { NULL, NULL },            /* dnssec_domains {require,request} */
+    .dnssec =                   { .request= US"*", .require=NULL },
 };


 uschar *router_name            = NULL;
diff --git a/src/src/lookups/dnsdb.c b/src/src/lookups/dnsdb.c
index 2727344..1cf8df7 100644
--- a/src/src/lookups/dnsdb.c
+++ b/src/src/lookups/dnsdb.c
@@ -112,7 +112,7 @@ terminates option processing.  Recognised options are:
 causes the whole lookup to defer only if none of the DNS queries succeeds; and
 'never', where all defers are as if the lookup failed. The default is 'lax'.


-- 'dnssec_FOO', with 'strict', 'lax' and 'never' (default). The meanings are
+- 'dnssec_FOO', with 'strict', 'lax' (default), and 'never'. The meanings are
require, try and don't-try dnssec respectively.

 - 'retrans_VAL', set the timeout value.  VAL is an Exim time specification
@@ -136,7 +136,7 @@ dnsdb_find(void *handle, uschar *filename, const uschar *keystring, int length,
 int rc;
 int sep = 0;
 int defer_mode = PASS;
-int dnssec_mode = OK;
+int dnssec_mode = PASS;
 int save_retrans = dns_retrans;
 int save_retry =   dns_retry;
 int type;
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index c547c87..fe28d86 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -281,7 +281,7 @@ smtp_transport_options_block smtp_transport_option_defaults = {
   .gethostbyname =        FALSE,
   .dns_qualify_single =        TRUE,
   .dns_search_parents =        FALSE,
-  .dnssec = { .request=NULL, .require=NULL },
+  .dnssec = { .request= US"*", .require=NULL },
   .delay_after_cutoff =        TRUE,
   .hosts_override =        FALSE,
   .hosts_randomize =        FALSE,