diff options
| author | Jeremy Harris <jgh146exb@wizmail.org> | 2019-10-21 17:17:37 +0100 |
|---|---|---|
| committer | Jeremy Harris <jgh146exb@wizmail.org> | 2019-10-22 22:41:04 +0100 |
| commit | 979c462ed43bd4f53f61a0031ec22967dea83902 (patch) | |
| tree | 1d221e86b1d0585d86358cd5364eb60b2f9d1e65 /src | |
| parent | e9da179430937b68fbbb080187eb64607b894743 (diff) | |
Be careful about DNS response AD/AA bits for error returns
Diffstat (limited to 'src')
| -rw-r--r-- | src/src/dns.c | 18 | ||||
| -rw-r--r-- | src/src/host.c | 2 |
2 files changed, 12 insertions, 8 deletions
diff --git a/src/src/dns.c b/src/src/dns.c index 4750f1b52..8d9ec4708 100644 --- a/src/src/dns.c +++ b/src/src/dns.c @@ -498,13 +498,13 @@ const HEADER * h = (const HEADER *) dnsa->answer; const uschar * auth_name; const uschar * trusted; +if (dnsa->answerlen < 0) return FALSE; if (h->ad) return TRUE; -/* If the resolver we ask is authoritative for the domain in question, it -* may not set the AD but the AA bit. If we explicitly trust -* the resolver for that domain (via a domainlist in dns_trust_aa), -* we return TRUE to indicate a secure answer. -*/ +/* If the resolver we ask is authoritative for the domain in question, it may +not set the AD but the AA bit. If we explicitly trust the resolver for that +domain (via a domainlist in dns_trust_aa), we return TRUE to indicate a secure +answer. */ if ( !h->aa || !dns_trust_aa @@ -540,12 +540,12 @@ h->aa = h->ad = 0; ************************************************/ BOOL -dns_is_aa(const dns_answer *dnsa) +dns_is_aa(const dns_answer * dnsa) { #ifdef DISABLE_DNSSEC return FALSE; #else -return ((const HEADER*)dnsa->answer)->aa; +return dnsa->answerlen >= 0 && ((const HEADER *)dnsa->answer)->aa; #endif } @@ -788,7 +788,10 @@ caching for successful lookups. */ if ((rc = dns_fail_cache_hit(name, type)) > 0) + { + dnsa->answerlen = -1; return rc; + } #ifdef SUPPORT_I18N /* Convert all names to a-label form before doing lookup */ @@ -857,6 +860,7 @@ if ((type == T_A || type == T_AAAA) && string_is_ip_address(name, NULL) != 0) (res_search), we call fakens_search(), which recognizes certain special domains, and interfaces to a fake nameserver for certain special zones. */ +h_errno = 0; dnsa->answerlen = f.running_in_test_harness ? fakens_search(name, type, dnsa->answer, sizeof(dnsa->answer)) : res_search(CCS name, C_IN, type, dnsa->answer, sizeof(dnsa->answer)); diff --git a/src/src/host.c b/src/src/host.c index 4081729ab..3c2b8b3c8 100644 --- a/src/src/host.c +++ b/src/src/host.c @@ -2648,7 +2648,7 @@ if (rc != DNS_SUCCEED && whichrrs & HOST_FIND_BY_MX) if (dnssec_request) if (dns_is_secure(dnsa)) { - DEBUG(D_host_lookup) debug_printf("%s MX DNSSEC\n", host->name); + DEBUG(D_host_lookup) debug_printf("%s (MX resp) DNSSEC\n", host->name); dnssec = DS_YES; lookup_dnssec_authenticated = US"yes"; } else |