diff options
| author | Heiko Schlittermann (HS12) <hs@schlittermann.de> | 2015-04-09 17:30:58 +0200 |
|---|---|---|
| committer | Heiko Schlittermann (HS12) <hs@schlittermann.de> | 2015-04-25 22:39:39 +0200 |
| commit | 99c1bb4ed9d99c7b0f615750c37884d7a7f9aa0d (patch) | |
| tree | 484d372d52347d4f54307888c301189a5444ca78 /doc | |
| parent | 8d42c8364882bf2d743a5b876d6df741b6d67e40 (diff) | |
Make dnssec_request_domains/dnssec_require_domains generic
Not only the dnslookup router should use DNSSEC for lookups. The
manualroute and even queryprogram router may just generate a host list.
The names then need to be resolved, optionally via DNSSEC.
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/doc-docbook/spec.xfpt | 41 | ||||
| -rw-r--r-- | doc/doc-txt/ChangeLog | 2 |
2 files changed, 21 insertions, 22 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index f274db74e..bd1c8bfdd 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -17018,6 +17018,25 @@ or for any deliveries caused by this router. You should not set this option unless you really, really know what you are doing. See also the generic transport option of the same name. +.option dnssec_request_domains routers "domain list&!!" unset +.cindex "MX record" "security" +.cindex "DNSSEC" "MX lookup" +.cindex "security" "MX lookup" +.cindex "DNS" "DNSSEC" +DNS lookups for domains matching &%dnssec_request_domains%& will be done with +the dnssec request bit set. +This applies to all of the SRV, MX, AAAA, A lookup sequence. + +.option dnssec_require_domains routers "domain list&!!" unset +.cindex "MX record" "security" +.cindex "DNSSEC" "MX lookup" +.cindex "security" "MX lookup" +.cindex "DNS" "DNSSEC" +DNS lookups for domains matching &%dnssec_request_domains%& will be done with +the dnssec request bit set. Any returns not having the Authenticated Data bit +(AD bit) set wil be ignored and logged as a host-lookup failure. +This applies to all of the SRV, MX, AAAA, A lookup sequence. + .option domains routers&!? "domain list&!!" unset .cindex "router" "restricting to specific domains" @@ -18070,28 +18089,6 @@ when there is a DNS lookup error. -.option dnssec_request_domains dnslookup "domain list&!!" unset -.cindex "MX record" "security" -.cindex "DNSSEC" "MX lookup" -.cindex "security" "MX lookup" -.cindex "DNS" "DNSSEC" -DNS lookups for domains matching &%dnssec_request_domains%& will be done with -the dnssec request bit set. -This applies to all of the SRV, MX, AAAA, A lookup sequence. - - - -.option dnssec_require_domains dnslookup "domain list&!!" unset -.cindex "MX record" "security" -.cindex "DNSSEC" "MX lookup" -.cindex "security" "MX lookup" -.cindex "DNS" "DNSSEC" -DNS lookups for domains matching &%dnssec_request_domains%& will be done with -the dnssec request bit set. Any returns not having the Authenticated Data bit -(AD bit) set wil be ignored and logged as a host-lookup failure. -This applies to all of the SRV, MX, AAAA, A lookup sequence. - - .option fail_defer_domains dnslookup "domain list&!!" unset .cindex "MX record" "not found" diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index c0a965eeb..2421bab45 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -83,6 +83,8 @@ JH/23 Bug 1572: Increase limit on SMTP confirmation message copy size JH/24 Verification callouts now attempt to use TLS by default. +HS/01 DNSSEC options (dnssec_require_domains, dnssec_request_domains) + are generic router options now. The defaults didn't change. Exim version 4.85 |