Add options dnssec_request_domains, dnssec_require_domains to the smtp transport

Note there are no testsuite cases included.

TODO in this area:
- dnssec during verify-callouts
- dnssec on the forward lookup of a verify=helo and verify=reverse_host_lookup

3 files changed, 32 insertions, 4 deletions

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 0e6a38bd9..0ecbaac5a 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -11457,7 +11457,7 @@ the space value is -1. See also the &%check_log_space%& option.
 .vitem &$lookup_dnssec_authenticated$&
 .vindex "&$lookup_dnssec_authenticated$&"
 This variable is set after a DNS lookup done by
-either a dnslookup router or a dnsdb lookup expansion.
+a dnsdb lookup expansion, dnslookup router or smtp transport.
 It will be empty if &(DNSSEC)& was not requested,
 &"no"& if the result was not labelled as authenticated data
 and &"yes"& if it was.
@@ -17673,8 +17673,6 @@ when there is a DNS lookup error.
 DNS lookups for domains matching &%dnssec_request_domains%& will be done with
 the dnssec request bit set.
 This applies to all of the SRV, MX A6, AAAA, A lookup sequence.
-
-See also the &$lookup_dnssec_authenticated$& variable.
 .wen
 
 
@@ -22596,6 +22594,33 @@ See the &%search_parents%& option in chapter &<<CHAPdnslookup>>& for more
 details.
 
 
+.new
+.option dnssec_request_domains smtp "domain list&!!" unset
+.cindex "MX record" "security"
+.cindex "DNSSEC" "MX lookup"
+.cindex "security" "MX lookup"
+.cindex "DNS" "DNSSEC"
+DNS lookups for domains matching &%dnssec_request_domains%& will be done with
+the dnssec request bit set.
+This applies to all of the SRV, MX A6, AAAA, A lookup sequence.
+.wen
+
+
+
+.new
+.option dnssec_require_domains smtp "domain list&!!" unset
+.cindex "MX record" "security"
+.cindex "DNSSEC" "MX lookup"
+.cindex "security" "MX lookup"
+.cindex "DNS" "DNSSEC"
+DNS lookups for domains matching &%dnssec_request_domains%& will be done with
+the dnssec request bit set.  Any returns not having the Authenticated Data bit
+(AD bit) set wil be ignored and logged as a host-lookup failure.
+This applies to all of the SRV, MX A6, AAAA, A lookup sequence.
+.wen
+
+
+
 .option dscp smtp string&!! unset
 .cindex "DCSP" "outbound"
 This option causes the DSCP value associated with a socket to be set to one
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index cff9803d7..d4240fa29 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -85,7 +85,8 @@ TL/07 Add new dmarc expansion variable $dmarc_domain_policy to directly
 JH/13 Fix handling of $tls_cipher et.al. in (non-verify) transport.  Bug 1455.
 
 JH/14 New options dnssec_request_domains, dnssec_require_domains on the
-      dnslookup router (applying to the forward lookup).
+      dnslookup router and the smtp transport (applying to the forward
+      lookup).
 
 TL/08 Bugzilla 1453: New LDAP "SERVERS=" option allows admin to override list
       of ldap servers used for a specific lookup.  Patch provided by Heiko
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index 6a1a5e8d1..33c66ceb9 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -42,6 +42,8 @@ Version 4.83
  8. EXPERIMENTAL_OCSP now supports GnuTLS also, if you have version 3.1.3
     or later of that.
 
+ 9. Support for DNSSEC on outbound connections.
+
 
 Version 4.82
 ------------