diff options
author | Jeremy Harris <jgh146exb@wizmail.org> | 2014-11-20 20:17:32 +0000 |
---|---|---|
committer | Jeremy Harris <jgh146exb@wizmail.org> | 2014-11-20 20:17:32 +0000 |
commit | c85b3043a4a2ec41cbd8371c25ea265e809237eb (patch) | |
tree | 3930f749db76bb32c0c5cd27bff67d8080d6ec89 /src | |
parent | 1dc92d5af0dddcee977aab6da545951c051b2c58 (diff) |
When following a CNAME chain, if any lookup is insecure the whole must be too
Diffstat (limited to 'src')
-rw-r--r-- | src/src/dns.c | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/src/src/dns.c b/src/src/dns.c index 66633f741..56f81de7a 100644 --- a/src/src/dns.c +++ b/src/src/dns.c @@ -754,6 +754,7 @@ dns_lookup(dns_answer *dnsa, const uschar *name, int type, { int i; const uschar *orig_name = name; +BOOL secure_so_far = TRUE; /* Loop to follow CNAME chains so far, but no further... */ @@ -808,7 +809,12 @@ for (i = 0; i < 10; i++) /* If any data records of the correct type were found, we are done. */ - if (type_rr.data != NULL) return DNS_SUCCEED; + if (type_rr.data != NULL) + { + if (!secure_so_far) /* mark insecure if any element of CNAME chain was */ + ((HEADER *)dnsa->answer)->ad = 0; + return DNS_SUCCEED; + } /* If there are no data records, we need to re-scan the DNS using the domain given in the CNAME record, which should exist (otherwise we should @@ -821,6 +827,9 @@ for (i = 0; i < 10; i++) if (datalen < 0) return DNS_FAIL; name = data; + if (!dns_is_secure(dnsa)) + secure_so_far = FALSE; + DEBUG(D_dns) debug_printf("CNAME found: change to %s\n", name); } /* Loop back to do another lookup */ |