diff options
author | Jeremy Harris <jgh146exb@wizmail.org> | 2023-01-05 18:39:51 +0000 |
---|---|---|
committer | Jeremy Harris <jgh146exb@wizmail.org> | 2023-01-05 18:39:51 +0000 |
commit | 30520c8f87fcf660ed99a2344cae7f9787f7bc89 (patch) | |
tree | d54235f8859fd44eb139a3a4f5ee7e0cd079864d | |
parent | e1aca33756f73c22b00a98d40ce2be8ed94464b1 (diff) |
DANE: do not check dns_again_means_nonexist for TLSA results of TRY_AGAIN
-rw-r--r-- | doc/doc-docbook/spec.xfpt | 7 | ||||
-rw-r--r-- | doc/doc-txt/ChangeLog | 4 | ||||
-rw-r--r-- | src/src/dns.c | 35 |
3 files changed, 32 insertions, 14 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 946f55b11..9243bd3f9 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -15621,7 +15621,12 @@ by a setting such as this: .code dns_again_means_nonexist = *.in-addr.arpa .endd -This option applies to all DNS lookups that Exim does. It also applies when the +This option applies to all DNS lookups that Exim does, +.new +except for TLSA lookups (where knowing about such failures +is security-relevant). +.wen +It also applies when the &[gethostbyname()]& or &[getipnodebyname()]& functions give temporary errors, since these are most likely to be caused by DNS lookup problems. The &(dnslookup)& router has some options of its own for controlling what happens diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index f51a23c9c..45834756b 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -98,6 +98,10 @@ JH/20 Bug 2954: (OpenSSL) Fix setting of explicit EC curve/group. Previously this always failed, probably leading to the usual downgrade to in-clear connections. +JH/20 Fix TLSA lookups. Previously dns_again_means_nonexist would affect + SERVFAIL results, which breaks the downgrade resistance of DANE. Change + to not checking that list for these looks. + Exim version 4.96 ----------------- diff --git a/src/src/dns.c b/src/src/dns.c index 2355409ec..d39b4b590 100644 --- a/src/src/dns.c +++ b/src/src/dns.c @@ -907,21 +907,30 @@ if (dnsa->answerlen < 0) switch (h_errno) /* Cut this out for various test programs */ #ifndef STAND_ALONE - if (try_again_recursion) + /* Permitting dns_again_means nonexist for TLSA lookups breaks the + doewngrade resistance of dane, so avoid for those. */ + + if (type == T_TLSA) + rc = FAIL; + else { - log_write(0, LOG_MAIN|LOG_PANIC, - "dns_again_means_nonexist recursion seen for %s (assuming nonexist)", - name); - return dns_fail_return(name, type, dns_expire_from_soa(dnsa, type), DNS_NOMATCH); - } + if (try_again_recursion) + { + log_write(0, LOG_MAIN|LOG_PANIC, + "dns_again_means_nonexist recursion seen for %s" + " (assuming nonexist)", name); + return dns_fail_return(name, type, dns_expire_from_soa(dnsa, type), + DNS_NOMATCH); + } - try_again_recursion = TRUE; - save_domain = deliver_domain; - deliver_domain = string_copy(name); /* set $domain */ - rc = match_isinlist(name, CUSS &dns_again_means_nonexist, 0, - &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL); - deliver_domain = save_domain; - try_again_recursion = FALSE; + try_again_recursion = TRUE; + save_domain = deliver_domain; + deliver_domain = string_copy(name); /* set $domain */ + rc = match_isinlist(name, CUSS &dns_again_means_nonexist, 0, + &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL); + deliver_domain = save_domain; + try_again_recursion = FALSE; + } if (rc != OK) { |