[exim-cvs] DANE: do not check dns_again_means_nonexist for T…

Top Page
Delete this message
Reply to this message
Author: Exim Git Commits Mailing List
Date:  
To: exim-cvs
Subject: [exim-cvs] DANE: do not check dns_again_means_nonexist for TLSA results of TRY_AGAIN
Gitweb: https://git.exim.org/exim.git/commitdiff/30520c8f87fcf660ed99a2344cae7f9787f7bc89
Commit:     30520c8f87fcf660ed99a2344cae7f9787f7bc89
Parent:     e1aca33756f73c22b00a98d40ce2be8ed94464b1
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Thu Jan 5 18:39:51 2023 +0000
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Thu Jan 5 18:39:51 2023 +0000


    DANE: do not check dns_again_means_nonexist for TLSA results of TRY_AGAIN
---
 doc/doc-docbook/spec.xfpt |  7 ++++++-
 doc/doc-txt/ChangeLog     |  4 ++++
 src/src/dns.c             | 35 ++++++++++++++++++++++-------------
 3 files changed, 32 insertions(+), 14 deletions(-)


diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 946f55b11..9243bd3f9 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -15621,7 +15621,12 @@ by a setting such as this:
 .code
 dns_again_means_nonexist = *.in-addr.arpa
 .endd
-This option applies to all DNS lookups that Exim does. It also applies when the
+This option applies to all DNS lookups that Exim does,
+.new
+except for TLSA lookups (where knowing about such failures
+is security-relevant).
+.wen
+It also applies when the
 &[gethostbyname()]& or &[getipnodebyname()]& functions give temporary errors,
 since these are most likely to be caused by DNS lookup problems. The
 &(dnslookup)& router has some options of its own for controlling what happens
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index f51a23c9c..45834756b 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -98,6 +98,10 @@ JH/20 Bug 2954: (OpenSSL) Fix setting of explicit EC curve/group.  Previously
       this always failed, probably leading to the usual downgrade to in-clear
       connections.


+JH/20 Fix TLSA lookups.  Previously dns_again_means_nonexist would affect
+      SERVFAIL results, which breaks the downgrade resistance of DANE.  Change
+      to not checking that list for these looks.
+


Exim version 4.96
-----------------
diff --git a/src/src/dns.c b/src/src/dns.c
index 2355409ec..d39b4b590 100644
--- a/src/src/dns.c
+++ b/src/src/dns.c
@@ -907,21 +907,30 @@ if (dnsa->answerlen < 0) switch (h_errno)

     /* Cut this out for various test programs */
 #ifndef STAND_ALONE
-    if (try_again_recursion)
+    /* Permitting dns_again_means nonexist for TLSA lookups breaks the
+    doewngrade resistance of dane, so avoid for those. */
+
+    if (type == T_TLSA)
+      rc = FAIL;
+    else
       {
-      log_write(0, LOG_MAIN|LOG_PANIC,
-    "dns_again_means_nonexist recursion seen for %s (assuming nonexist)",
-    name);
-      return dns_fail_return(name, type, dns_expire_from_soa(dnsa, type), DNS_NOMATCH);
-      }
+      if (try_again_recursion)
+    {
+    log_write(0, LOG_MAIN|LOG_PANIC,
+      "dns_again_means_nonexist recursion seen for %s"
+      " (assuming nonexist)", name);
+    return dns_fail_return(name, type, dns_expire_from_soa(dnsa, type),
+                  DNS_NOMATCH);
+    }


-    try_again_recursion = TRUE;
-    save_domain = deliver_domain;
-    deliver_domain = string_copy(name);  /* set $domain */
-    rc = match_isinlist(name, CUSS &dns_again_means_nonexist, 0,
-      &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL);
-    deliver_domain = save_domain;
-    try_again_recursion = FALSE;
+      try_again_recursion = TRUE;
+      save_domain = deliver_domain;
+      deliver_domain = string_copy(name);  /* set $domain */
+      rc = match_isinlist(name, CUSS &dns_again_means_nonexist, 0,
+    &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL);
+      deliver_domain = save_domain;
+      try_again_recursion = FALSE;
+      }


     if (rc != OK)
       {