X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fsrc%2Fdns.c;h=542354db394e0c41a28583c5831450661a9ee52e;hb=ac6652c8a0ac69fc0f46d7f8535aa537cd609c94;hp=185522e588bda8cdb8c2a0cbd6224794cc539576;hpb=5a66c31b0ec1f4128df4398e18dfe497c2a34de7;p=user%2Fhenk%2Fcode%2Fexim.git

diff --git a/src/src/dns.c b/src/src/dns.c
index 185522e58..542354db3 100644
--- a/src/src/dns.c
+++ b/src/src/dns.c
@@ -159,12 +159,13 @@ the first time we have been here, and set the resolver options.
 Arguments:
   qualify_single    TRUE to set the RES_DEFNAMES option
   search_parents    TRUE to set the RES_DNSRCH option
+  use_dnssec        TRUE to set the RES_USE_DNSSEC option
 
 Returns:            nothing
 */
 
 void
-dns_init(BOOL qualify_single, BOOL search_parents)
+dns_init(BOOL qualify_single, BOOL search_parents, BOOL use_dnssec)
 {
 res_state resp = os_get_dns_resolver_res();
 
@@ -206,6 +207,8 @@ if (dns_use_edns0 >= 0)
 #  ifndef RES_USE_EDNS0
 #   error Have RES_USE_DNSSEC but not RES_USE_EDNS0?  Something hinky ...
 #  endif
+if (use_dnssec)
+  resp->options |= RES_USE_DNSSEC;
 if (dns_dnssec_ok >= 0)
   {
   if (dns_use_edns0 == 0 && dns_dnssec_ok != 0)
@@ -228,6 +231,9 @@ if (dns_dnssec_ok >= 0)
   DEBUG(D_resolver)
     debug_printf("Unable to %sset DNSSEC without resolver support.\n",
         dns_dnssec_ok ? "" : "un");
+if (use_dnssec)
+  DEBUG(D_resolver)
+    debug_printf("Unable to set DNSSEC without resolver support.\n");
 # endif
 #endif /* DISABLE_DNSSEC */
 
@@ -449,6 +455,14 @@ return h->ad ? TRUE : FALSE;
 #endif
 }
 
+static void
+dns_set_insecure(dns_answer * dnsa)
+{
+HEADER * h = (HEADER *)dnsa->answer;
+h->ad = 0;
+}
+
+
 
 
 
@@ -601,7 +615,7 @@ if (check_dns_names_pattern[0] != 0 && type != T_PTR && type != T_TXT)
   /* For an SRV lookup, skip over the first two components (the service and
   protocol names, which both start with an underscore). */
 
-  if (type == T_SRV)
+  if (type == T_SRV || type == T_TLSA)
     {
     while (*checkname++ != '.');
     while (*checkname++ != '.');
@@ -746,7 +760,8 @@ int
 dns_lookup(dns_answer *dnsa, uschar *name, int type, uschar **fully_qualified_name)
 {
 int i;
-uschar *orig_name = name;
+const uschar *orig_name = name;
+BOOL secure_so_far = TRUE;
 
 /* Loop to follow CNAME chains so far, but no further... */
 
@@ -801,7 +816,12 @@ for (i = 0; i < 10; i++)
 
   /* If any data records of the correct type were found, we are done. */
 
-  if (type_rr.data != NULL) return DNS_SUCCEED;
+  if (type_rr.data != NULL)
+    {
+    if (!secure_so_far)	/* mark insecure if any element of CNAME chain was */
+      dns_set_insecure(dnsa);
+    return DNS_SUCCEED;
+    }
 
   /* If there are no data records, we need to re-scan the DNS using the
   domain given in the CNAME record, which should exist (otherwise we should
@@ -814,6 +834,9 @@ for (i = 0; i < 10; i++)
   if (datalen < 0) return DNS_FAIL;
   name = data;
 
+  if (!dns_is_secure(dnsa))
+    secure_so_far = FALSE;
+
   DEBUG(D_dns) debug_printf("CNAME found: change to %s\n", name);
   }       /* Loop back to do another lookup */
 
@@ -1249,4 +1272,6 @@ else
 return yield;
 }
 
+/* vi: aw ai sw=2
+*/
 /* End of dns.c */