Make dnssec_request_domains/dnssec_require_domains generic

Not only the dnslookup router should use DNSSEC for lookups. The manualroute and even queryprogram router may just generate a host list. The names then need to be resolved, optionally via DNSSEC.
author: Heiko Schlittermann (HS12) <hs@schlittermann.de> 2015-04-09 17:30:58 +0200
committer: Heiko Schlittermann (HS12) <hs@schlittermann.de> 2015-04-25 22:39:39 +0200
commit: 99c1bb4ed9d99c7b0f615750c37884d7a7f9aa0d (patch)
tree: 484d372d52347d4f54307888c301189a5444ca78
parent: 8d42c8364882bf2d743a5b876d6df741b6d67e40 (diff)
10 files changed, 40 insertions, 35 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index f274db74e..bd1c8bfdd 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -17018,6 +17018,25 @@ or for any deliveries caused by this router. You should not set this option
 unless you really, really know what you are doing. See also the generic
 transport option of the same name.
 
+.option dnssec_request_domains routers "domain list&!!" unset
+.cindex "MX record" "security"
+.cindex "DNSSEC" "MX lookup"
+.cindex "security" "MX lookup"
+.cindex "DNS" "DNSSEC"
+DNS lookups for domains matching &%dnssec_request_domains%& will be done with
+the dnssec request bit set.
+This applies to all of the SRV, MX, AAAA, A lookup sequence.
+
+.option dnssec_require_domains routers "domain list&!!" unset
+.cindex "MX record" "security"
+.cindex "DNSSEC" "MX lookup"
+.cindex "security" "MX lookup"
+.cindex "DNS" "DNSSEC"
+DNS lookups for domains matching &%dnssec_request_domains%& will be done with
+the dnssec request bit set.  Any returns not having the Authenticated Data bit
+(AD bit) set wil be ignored and logged as a host-lookup failure.
+This applies to all of the SRV, MX, AAAA, A lookup sequence.
+
 
 .option domains routers&!? "domain list&!!" unset
 .cindex "router" "restricting to specific domains"
@@ -18070,28 +18089,6 @@ when there is a DNS lookup error.
 
 
 
-.option dnssec_request_domains dnslookup "domain list&!!" unset
-.cindex "MX record" "security"
-.cindex "DNSSEC" "MX lookup"
-.cindex "security" "MX lookup"
-.cindex "DNS" "DNSSEC"
-DNS lookups for domains matching &%dnssec_request_domains%& will be done with
-the dnssec request bit set.
-This applies to all of the SRV, MX, AAAA, A lookup sequence.
-
-
-
-.option dnssec_require_domains dnslookup "domain list&!!" unset
-.cindex "MX record" "security"
-.cindex "DNSSEC" "MX lookup"
-.cindex "security" "MX lookup"
-.cindex "DNS" "DNSSEC"
-DNS lookups for domains matching &%dnssec_request_domains%& will be done with
-the dnssec request bit set.  Any returns not having the Authenticated Data bit
-(AD bit) set wil be ignored and logged as a host-lookup failure.
-This applies to all of the SRV, MX, AAAA, A lookup sequence.
-
-
 
 .option fail_defer_domains dnslookup "domain list&!!" unset
 .cindex "MX record" "not found"
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index c0a965eeb..2421bab45 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -83,6 +83,8 @@ JH/23 Bug 1572: Increase limit on SMTP confirmation message copy size
 
 JH/24 Verification callouts now attempt to use TLS by default.
 
+HS/01 DNSSEC options (dnssec_require_domains, dnssec_request_domains) 
+      are generic router options now. The defaults didn't change.
 
 
 Exim version 4.85
diff --git a/src/src/globals.c b/src/src/globals.c
index a71c80ed9..868b27e83 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -1168,7 +1168,10 @@ router_instance  router_defaults = {
     NULL,                      /* fallback_hostlist */
     NULL,                      /* transport instance */
     NULL,                      /* pass_router */
-    NULL                       /* redirect_router */
+    NULL,                      /* redirect_router */
+
+    NULL,                      /* dnssec_request_domains */
+    NULL                       /* dnssec_require_domains */
 };
 
 uschar *router_name            = NULL;
diff --git a/src/src/route.c b/src/src/route.c
index ec188801c..2f534b7bf 100644
--- a/src/src/route.c
+++ b/src/src/route.c
@@ -54,6 +54,10 @@ optionlist optionlist_routers[] = {
                  (void *)offsetof(router_instance, debug_string) },
   { "disable_logging",    opt_bool | opt_public,
                  (void *)offsetof(router_instance, disable_logging) },
+  { "dnssec_request_domains",            opt_stringptr|opt_public,
+                 (void *)offsetof(router_instance, dnssec_request_domains) },
+  { "dnssec_require_domains",            opt_stringptr|opt_public,
+                 (void *)offsetof(router_instance, dnssec_require_domains) },
   { "domains",            opt_stringptr|opt_public,
                  (void *)offsetof(router_instance, domains) },
   { "driver",             opt_stringptr|opt_public,
diff --git a/src/src/routers/dnslookup.c b/src/src/routers/dnslookup.c
index 650e56d33..69b240428 100644
--- a/src/src/routers/dnslookup.c
+++ b/src/src/routers/dnslookup.c
@@ -18,10 +18,6 @@ optionlist dnslookup_router_options[] = {
       (void *)(offsetof(dnslookup_router_options_block, check_secondary_mx)) },
   { "check_srv",          opt_stringptr,
       (void *)(offsetof(dnslookup_router_options_block, check_srv)) },
-  { "dnssec_request_domains",         opt_stringptr,
-      (void *)(offsetof(dnslookup_router_options_block, dnssec_request_domains)) },
-  { "dnssec_require_domains",         opt_stringptr,
-      (void *)(offsetof(dnslookup_router_options_block, dnssec_require_domains)) },
   { "fail_defer_domains", opt_stringptr,
       (void *)(offsetof(dnslookup_router_options_block, fail_defer_domains)) },
   { "mx_domains",         opt_stringptr,
@@ -60,8 +56,6 @@ dnslookup_router_options_block dnslookup_router_option_defaults = {
   NULL,            /* mx_fail_domains */
   NULL,            /* srv_fail_domains */
   NULL,            /* check_srv */
-  NULL,            /* dnssec_request_domains */
-  NULL,            /* dnssec_require_domains */
   NULL             /* fail_defer_domains */
 };
 
@@ -271,7 +265,7 @@ for (;;)
 
   rc = host_find_bydns(&h, CUS rblock->ignore_target_hosts, flags, srv_service,
     ob->srv_fail_domains, ob->mx_fail_domains,
-    ob->dnssec_request_domains, ob->dnssec_require_domains,
+    rblock->dnssec_request_domains, rblock->dnssec_require_domains,
     &fully_qualified_name, &removed);
   if (removed) setflag(addr, af_local_host_removed);
 
diff --git a/src/src/routers/dnslookup.h b/src/src/routers/dnslookup.h
index 907ff0ce3..af01d5611 100644
--- a/src/src/routers/dnslookup.h
+++ b/src/src/routers/dnslookup.h
@@ -17,8 +17,6 @@ typedef struct {
   uschar *mx_fail_domains;
   uschar *srv_fail_domains;
   uschar *check_srv;
-  uschar *dnssec_request_domains;
-  uschar *dnssec_require_domains;
   uschar *fail_defer_domains;
 } dnslookup_router_options_block;
 
diff --git a/src/src/routers/rf_lookup_hostlist.c b/src/src/routers/rf_lookup_hostlist.c
index ab2e4ec2c..7ff7f45e1 100644
--- a/src/src/routers/rf_lookup_hostlist.c
+++ b/src/src/routers/rf_lookup_hostlist.c
@@ -94,8 +94,8 @@ for (h = addr->host_list; h != NULL; h = next_h)
         NULL,                           /* SRV service not relevant */
         NULL,                           /* failing srv domains not relevant */
         NULL,                           /* no special mx failing domains */
-	NULL,                           /* no dnssec request XXX ? */
-	NULL,                           /* no dnssec require XXX ? */
+	rblock->dnssec_request_domains,         /* no dnssec request XXX ? */
+	rblock->dnssec_require_domains,         /* no dnssec require XXX ? */
         NULL,                           /* fully_qualified_name */
         NULL);                          /* indicate local host removed */
     }
@@ -120,7 +120,8 @@ for (h = addr->host_list; h != NULL; h = next_h)
     DEBUG(D_route|D_host_lookup) debug_printf("doing DNS lookup\n");
     rc = host_find_bydns(h, ignore_target_hosts, HOST_FIND_BY_A, NULL, NULL,
       NULL,
-      NULL, NULL,	/*XXX dnssec? */
+      rblock->dnssec_request_domains,         /* no dnssec request XXX ? */
+      rblock->dnssec_require_domains,         /* no dnssec require XXX ? */
       &canonical_name, &removed);
     if (rc == HOST_FOUND)
       {
diff --git a/src/src/structs.h b/src/src/structs.h
index c181f3f6e..3f9fb6050 100644
--- a/src/src/structs.h
+++ b/src/src/structs.h
@@ -296,6 +296,8 @@ typedef struct router_instance {
   transport_instance *transport;  /* Transport block (when found) */
   struct router_instance *pass_router; /* Actual router for passed address */
   struct router_instance *redirect_router; /* Actual router for generated address */
+  uschar  *dnssec_request_domains;	/* ask for DNSSEC XXX */
+  uschar  *dnssec_require_domains;	/* require DNSSEC XXX */
 } router_instance;
 
 
diff --git a/test/stdout/0147 b/test/stdout/0147
index b877c6110..45e48244b 100644
--- a/test/stdout/0147
+++ b/test/stdout/0147
@@ -23,6 +23,8 @@ no_check_local_user
 condition = 
 debug_print = 
 no_disable_logging
+dnssec_request_domains = 
+dnssec_require_domains = 
 domains = 
 driver = accept
 no_dsn_lasthop
diff --git a/test/stdout/0442 b/test/stdout/0442
index b47d7b31b..34c6510fd 100644
--- a/test/stdout/0442
+++ b/test/stdout/0442
@@ -8,6 +8,8 @@ no_check_local_user
 condition = 
 debug_print = 
 no_disable_logging
+dnssec_request_domains = 
+dnssec_require_domains = 
 domains = 
 driver = accept
 no_dsn_lasthop
author	Heiko Schlittermann (HS12) <hs@schlittermann.de>	2015-04-09 17:30:58 +0200
committer	Heiko Schlittermann (HS12) <hs@schlittermann.de>	2015-04-25 22:39:39 +0200
commit	99c1bb4ed9d99c7b0f615750c37884d7a7f9aa0d (patch)
tree	484d372d52347d4f54307888c301189a5444ca78
parent	8d42c8364882bf2d743a5b876d6df741b6d67e40 (diff)