diff options
| author | Jeremy Harris <jgh146exb@wizmail.org> | 2014-04-24 16:41:11 +0100 |
|---|---|---|
| committer | Jeremy Harris <jgh146exb@wizmail.org> | 2014-04-24 17:45:26 +0100 |
| commit | 4e0983dcef8dd8630fc77aad39f7606e2ed32199 (patch) | |
| tree | 86f0b448757d5c5c6e883639a011a41f51b7beaf /doc | |
| parent | e4e9c64246d34c3e77cf936935e55ddf16ed44d8 (diff) | |
Dnssec observability: add variable $lookup_dnssec_authenticated
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/doc-docbook/spec.xfpt | 21 | ||||
| -rw-r--r-- | doc/doc-txt/ChangeLog | 1 |
2 files changed, 22 insertions, 0 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 4370aa0b5..0e6a38bd9 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -6981,6 +6981,8 @@ ${lookup dnsdb{a=one.host.com:two.host.com}} Thus, in the default case, as long as at least one of the DNS lookups yields some data, the lookup succeeds. +.new +.cindex "DNSSEC" "dns lookup" Use of &(DNSSEC)& is controlled by a dnssec modifier. The possible keywords are &"dnssec_strict"&, &"dnssec_lax"&, and &"dnssec_never"&. @@ -6991,6 +6993,9 @@ is not labelled as authenticated data is treated as equivalent to a temporary DNS error. The default is &"never"&. +See also the &$lookup_dnssec_authenticated$& variable. +.wen + @@ -11448,6 +11453,16 @@ ability to find the amount of free space (only true for experimental systems), the space value is -1. See also the &%check_log_space%& option. +.new +.vitem &$lookup_dnssec_authenticated$& +.vindex "&$lookup_dnssec_authenticated$&" +This variable is set after a DNS lookup done by +either a dnslookup router or a dnsdb lookup expansion. +It will be empty if &(DNSSEC)& was not requested, +&"no"& if the result was not labelled as authenticated data +and &"yes"& if it was. +.wen + .vitem &$mailstore_basename$& .vindex "&$mailstore_basename$&" This variable is set only when doing deliveries in &"mailstore"& format in the @@ -17649,6 +17664,7 @@ when there is a DNS lookup error. +.new .option dnssec_request_domains dnslookup "domain list&!!" unset .cindex "MX record" "security" .cindex "DNSSEC" "MX lookup" @@ -17658,8 +17674,12 @@ DNS lookups for domains matching &%dnssec_request_domains%& will be done with the dnssec request bit set. This applies to all of the SRV, MX A6, AAAA, A lookup sequence. +See also the &$lookup_dnssec_authenticated$& variable. +.wen + +.new .option dnssec_require_domains dnslookup "domain list&!!" unset .cindex "MX record" "security" .cindex "DNSSEC" "MX lookup" @@ -17669,6 +17689,7 @@ DNS lookups for domains matching &%dnssec_request_domains%& will be done with the dnssec request bit set. Any returns not having the Authenticated Data bit (AD bit) set wil be ignored and logged as a host-lookup failure. This applies to all of the SRV, MX A6, AAAA, A lookup sequence. +.wen diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 8bf42d537..ddbd91135 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -92,6 +92,7 @@ TL/08 Bugzilla 1453: New LDAP "SERVERS=" option allows admin to override list Schlichting. JH/18 New options dnssec_lax, dnssec_strict on dnsdb lookups. + New variable $lookup_dnssec_authenticated for observability. TL/09 Bugzilla 609: Add -C option to exiqgrep, specify which exim.conf to use. Patch submitted by Lars Timman. |