X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fsrc%2Fdns.c;h=95db526867029321275e247fbd986037247ef594;hb=36a3ae5f08725242b1fb4dfecc5617cc9c3e971b;hp=ae76e9e3f89277903f5f3512f4dd95af48bc8e0d;hpb=3ecab1575ef1f45a5e7cd3c48cd937ffa8eb0ad9;p=user%2Fhenk%2Fcode%2Fexim.git

diff --git a/src/src/dns.c b/src/src/dns.c
index ae76e9e3f..95db52686 100644
--- a/src/src/dns.c
+++ b/src/src/dns.c
@@ -201,6 +201,36 @@ if (dns_use_edns0 >= 0)
         dns_use_edns0 ? "" : "un");
 #endif
 
+#ifndef DISABLE_DNSSEC
+# ifdef RES_USE_DNSSEC
+#  ifndef RES_USE_EDNS0
+#   error Have RES_USE_DNSSEC but not RES_USE_EDNS0?  Something hinky ...
+#  endif
+if (dns_use_dnssec >= 0)
+  {
+  if (dns_use_edns0 == 0 && dns_use_dnssec != 0)
+    {
+    DEBUG(D_resolver)
+      debug_printf("CONFLICT: dns_use_edns0 forced false, dns_use_dnssec forced true!\n");
+    }
+  else
+    {
+    if (dns_use_dnssec)
+      resp->options |= RES_USE_DNSSEC;
+    else
+      resp->options &= ~RES_USE_DNSSEC;
+    DEBUG(D_resolver) debug_printf("Coerced resolver DNSSEC support %s.\n",
+        dns_use_dnssec ? "on" : "off");
+    }
+  }
+# else
+if (dns_use_dnssec >= 0)
+  DEBUG(D_resolver)
+    debug_printf("Unable to %sset DNSSEC without resolver support.\n",
+        dns_use_dnssec ? "" : "un");
+# endif
+#endif /* DISABLE_DNSSEC */
+
 os_put_dns_resolver_res(resp);
 }
 
@@ -394,6 +424,34 @@ return &(dnss->srr);
 
 
 
+/*************************************************
+*    Return whether AD bit set in DNS result     *
+*************************************************/
+
+/* We do not perform DNSSEC work ourselves; if the administrator has installed
+a verifying resolver which sets AD as appropriate, though, we'll use that.
+(AD = Authentic Data)
+
+Argument:   pointer to dns answer block
+Returns:    bool indicating presence of AD bit
+*/
+
+BOOL
+dns_is_secure(dns_answer *dnsa)
+{
+#ifdef DISABLE_DNSSEC
+DEBUG(D_dns)
+  debug_printf("DNSSEC support disabled at build-time; dns_is_secure() false\n");
+return FALSE;
+#else
+HEADER *h = (HEADER *)dnsa->answer;
+return h->ad ? TRUE : FALSE;
+#endif
+}
+
+
+
+
 /*************************************************
 *            Turn DNS type into text             *
 *************************************************/