summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2023-01-05 18:39:51 +0000
committerJeremy Harris <jgh146exb@wizmail.org>2023-01-05 18:39:51 +0000
commit30520c8f87fcf660ed99a2344cae7f9787f7bc89 (patch)
treed54235f8859fd44eb139a3a4f5ee7e0cd079864d
parente1aca33756f73c22b00a98d40ce2be8ed94464b1 (diff)
DANE: do not check dns_again_means_nonexist for TLSA results of TRY_AGAIN
-rw-r--r--doc/doc-docbook/spec.xfpt7
-rw-r--r--doc/doc-txt/ChangeLog4
-rw-r--r--src/src/dns.c35
3 files changed, 32 insertions, 14 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 946f55b11..9243bd3f9 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -15621,7 +15621,12 @@ by a setting such as this:
.code
dns_again_means_nonexist = *.in-addr.arpa
.endd
-This option applies to all DNS lookups that Exim does. It also applies when the
+This option applies to all DNS lookups that Exim does,
+.new
+except for TLSA lookups (where knowing about such failures
+is security-relevant).
+.wen
+It also applies when the
&[gethostbyname()]& or &[getipnodebyname()]& functions give temporary errors,
since these are most likely to be caused by DNS lookup problems. The
&(dnslookup)& router has some options of its own for controlling what happens
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index f51a23c9c..45834756b 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -98,6 +98,10 @@ JH/20 Bug 2954: (OpenSSL) Fix setting of explicit EC curve/group. Previously
this always failed, probably leading to the usual downgrade to in-clear
connections.
+JH/20 Fix TLSA lookups. Previously dns_again_means_nonexist would affect
+ SERVFAIL results, which breaks the downgrade resistance of DANE. Change
+ to not checking that list for these looks.
+
Exim version 4.96
-----------------
diff --git a/src/src/dns.c b/src/src/dns.c
index 2355409ec..d39b4b590 100644
--- a/src/src/dns.c
+++ b/src/src/dns.c
@@ -907,21 +907,30 @@ if (dnsa->answerlen < 0) switch (h_errno)
/* Cut this out for various test programs */
#ifndef STAND_ALONE
- if (try_again_recursion)
+ /* Permitting dns_again_means nonexist for TLSA lookups breaks the
+ doewngrade resistance of dane, so avoid for those. */
+
+ if (type == T_TLSA)
+ rc = FAIL;
+ else
{
- log_write(0, LOG_MAIN|LOG_PANIC,
- "dns_again_means_nonexist recursion seen for %s (assuming nonexist)",
- name);
- return dns_fail_return(name, type, dns_expire_from_soa(dnsa, type), DNS_NOMATCH);
- }
+ if (try_again_recursion)
+ {
+ log_write(0, LOG_MAIN|LOG_PANIC,
+ "dns_again_means_nonexist recursion seen for %s"
+ " (assuming nonexist)", name);
+ return dns_fail_return(name, type, dns_expire_from_soa(dnsa, type),
+ DNS_NOMATCH);
+ }
- try_again_recursion = TRUE;
- save_domain = deliver_domain;
- deliver_domain = string_copy(name); /* set $domain */
- rc = match_isinlist(name, CUSS &dns_again_means_nonexist, 0,
- &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL);
- deliver_domain = save_domain;
- try_again_recursion = FALSE;
+ try_again_recursion = TRUE;
+ save_domain = deliver_domain;
+ deliver_domain = string_copy(name); /* set $domain */
+ rc = match_isinlist(name, CUSS &dns_again_means_nonexist, 0,
+ &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL);
+ deliver_domain = save_domain;
+ try_again_recursion = FALSE;
+ }
if (rc != OK)
{