DNSSEC babystep: dns_use_dnssec & $sender_host_dnssec

4 files changed, 54 insertions, 0 deletions

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 78d5b0b18..64aac1ae5 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -11687,6 +11687,31 @@ driver that successfully authenticated the client from which the message was
 received. It is empty if there was no successful authentication. See also
 &$authenticated_id$&.
 
+.new
+.vitem &$sender_host_dnssec$&
+.vindex "&$sender_host_dnssec$&"
+If &$sender_host_name$& has been populated (by reference, &%hosts_lookup%& or
+otherwise) then this boolean will have been set true if, and only if, the
+resolver library states that the reverse DNS was authenticated data.  At all
+other times, this variable is false.
+
+It is likely that you will need to coerce DNSSEC support on in the resolver
+library, by setting:
+.code
+dns_use_dnssec = 1
+.endd
+
+Exim does not perform DNSSEC validation itself, instead leaving that to a
+validating resolver (eg, unbound, or bind with suitable configuration).
+
+Exim does not (currently) check to see if the forward DNS was also secured
+with DNSSEC, only the reverse DNS.
+
+If you have changed &%host_lookup_order%& so that &`bydns`& is not the first
+mechanism in the list, then this variable will be false.
+.wen
+
+
 .vitem &$sender_host_name$&
 .vindex "&$sender_host_name$&"
 When a message is received from a remote host, this variable contains the
@@ -12836,6 +12861,9 @@ See also the &'Policy controls'& section above.
 .row &%dns_ipv4_lookup%&             "only v4 lookup for these domains"
 .row &%dns_retrans%&                 "parameter for resolver"
 .row &%dns_retry%&                   "parameter for resolver"
+.new
+.row &%dns_use_dnssec%&              "parameter for resolver"
+.wen
 .row &%dns_use_edns0%&               "parameter for resolver"
 .row &%hold_domains%&                "hold delivery for these domains"
 .row &%local_interfaces%&            "for routing checks"
@@ -13476,6 +13504,18 @@ to set in them.
 See &%dns_retrans%& above.
 
 
+.new
+.option dns_use_dnssec main integer -1
+.cindex "DNS" "resolver options"
+.cindex "DNS" "DNSSEC"
+If this option is set to a non-negative number then Exim will initialise the
+DNS resolver library to either use or not use DNSSEC, overriding the system
+default. A value of 0 coerces DNSSEC off, a value of 1 coerces DNSSEC on.
+
+If the resolver library does not support DNSSEC then this option has no effect.
+.wen
+
+
 .option dns_use_edns0 main integer -1
 .cindex "DNS" "resolver options"
 .cindex "DNS" "EDNS0"
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index bfeaa4293..34f940592 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -12,6 +12,10 @@ PP/02 Make -n do something, by making it not do something.
 PP/03 Added tls_dh_min_bits SMTP transport driver option, only honoured
       by GnuTLS.
 
+PP/04 First step towards DNSSEC, provide $sender_host_dnssec for
+      $sender_host_name and config options to manage this, and basic check
+      routines.
+
 
 Exim version 4.80
 -----------------
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index be8285b67..093feee72 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -31,6 +31,14 @@ Version 4.81
 
     Unless you really know what you are doing, leave it alone.
 
+ 4. If not built with DISABLE_DNSSEC, Exim now has the main option
+    dns_use_dnssec; if set to 1 then Exim will initialise the resolver library
+    to send the DO flag to your recursive resolver.  If you have a recursive
+    resolver, which can set the Authenticated Data (AD) flag in results, Exim
+    can now detect this.
+
+    Current status: work-in-progress; $sender_host_dnssec variable added.
+
 
 Version 4.80
 ------------
diff --git a/doc/doc-txt/OptionLists.txt b/doc/doc-txt/OptionLists.txt
index b8e8599ed..20d8dbdc5 100644
--- a/doc/doc-txt/OptionLists.txt
+++ b/doc/doc-txt/OptionLists.txt
@@ -180,6 +180,7 @@ dns_qualify_single                   boolean         true          smtp
 dns_retrans                          time            0s            main              1.60
 dns_retry                            integer         0             main              1.60
 dns_search_parents                   boolean         false         smtp
+dns_use_dnssec                       integer         -1            main              4.81
 dns_use_edns0                        integer         -1            main              4.76
 domains                              domain list     unset         routers           4.00
 driver                               string          unset         authenticators
@@ -840,6 +841,7 @@ DEFAULT_CRYPT                optional     default crypt() function
 DELIVER_IN_BUFFER_SIZE       optional*
 DELIVER_OUT_BUFFER_SIZE      optional*
 DISABLE_DKIM                 optional     disables DKIM support
+DISABLE_DNSSEC               optional     disables attempts to use DNSSEC
 DISABLE_D_OPTION             optional     disables -D option
 ERRNO_QUOTA                  optional*    error code for system quota failures
 EXICYCLOG_MAX                optional     number of old log files to keep