diff options
| -rw-r--r-- | doc/doc-docbook/spec.xfpt | 21 | ||||
| -rw-r--r-- | doc/doc-txt/NewStuff | 3 | ||||
| -rw-r--r-- | src/src/dns.c | 71 |
3 files changed, 61 insertions, 34 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 09ce793b0..fefc8e3f3 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -11745,6 +11745,9 @@ a dnsdb lookup expansion, dnslookup router or smtp transport. It will be empty if &(DNSSEC)& was not requested, &"no"& if the result was not labelled as authenticated data and &"yes"& if it was. +Results that are labelled as authoritive answer that match +the $%dns_trust_aa%& configuration variable count also +as authenticated data. .vitem &$mailstore_basename$& .vindex "&$mailstore_basename$&" @@ -13586,6 +13589,7 @@ See also the &'Policy controls'& section above. .row &%dns_ipv4_lookup%& "only v4 lookup for these domains" .row &%dns_retrans%& "parameter for resolver" .row &%dns_retry%& "parameter for resolver" +.row &%dns_trust_aa%& "nameservers trusted as authentic" .row &%dns_use_edns0%& "parameter for resolver" .row &%hold_domains%& "hold delivery for these domains" .row &%local_interfaces%& "for routing checks" @@ -14283,6 +14287,23 @@ See also the &%slow_lookup_log%& option. See &%dns_retrans%& above. +.option dns_trust_aa main domain list&!! unset +.cindex "DNS" "resolver options" +.cindex "DNS" "DNSSEC" +If this option is set then lookup results marked with an AA bit +(Authoratative Answer) are trusted when they come from one +of the listed domains, as if they were marked as having been +DNSSEC-verified. + +Use this option only if you talk directly to the resolver +for your local domains, and list only it. +It is needed when the resolver does not return an AD bit +for its local domains. +The first SOA or NS record appearing in the results is compared +against the option value. + + +.cindex "DNS" "resolver options" .option dns_use_edns0 main integer -1 .cindex "DNS" "resolver options" .cindex "DNS" "EDNS0" diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index 3c58b42ef..a0002b620 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -40,6 +40,9 @@ Version 4.86 13. Main option "tls_eccurve" for selecting an Elliptic Curve for TLS. Patch originally by Wolfgang Breyha. +14. Main option "dns_trust_aa" for trusting your local nameserver at the + same level as DNSSEC. + Version 4.85 ------------ diff --git a/src/src/dns.c b/src/src/dns.c index 29078dacd..4f84bfc45 100644 --- a/src/src/dns.c +++ b/src/src/dns.c @@ -403,22 +403,24 @@ return &(dnss->srr); /* Extract the AUTHORITY info from the answer. If the - * answer isn't authoritive (AA) we do not extract anything. - * We've to search for SOA or NS records, since there may be - * other records (e.g. NSEC3) too. - */ -static const uschar* -dns_extract_auth_name(const dns_answer *dnsa) /* FIXME: const dns_answer */ +answer isn't authoritive (AA) we do not extract anything. +We've to search for SOA or NS records, since there may be +other records (e.g. NSEC3) too. +*/ + +static const uschar * +dns_extract_auth_name(const dns_answer * dnsa) /* FIXME: const dns_answer */ { - dns_scan dnss; - dns_record *rr; - HEADER *h = (HEADER *) dnsa->answer; - if (!h->nscount || !h->aa) return NULL; - for (rr = dns_next_rr((dns_answer*) dnsa, &dnss, RESET_AUTHORITY); - rr; - rr = dns_next_rr((dns_answer*) dnsa, &dnss, RESET_NEXT)) - if (rr->type == T_SOA || rr->type == T_NS) return rr->name; - return NULL; +dns_scan dnss; +dns_record * rr; +HEADER * h = (HEADER *) dnsa->answer; + +if (!h->nscount || !h->aa) return NULL; +for (rr = dns_next_rr((dns_answer*) dnsa, &dnss, RESET_AUTHORITY); + rr; + rr = dns_next_rr((dns_answer*) dnsa, &dnss, RESET_NEXT)) + if (rr->type == T_SOA || rr->type == T_NS) return rr->name; +return NULL; } @@ -444,31 +446,32 @@ DEBUG(D_dns) debug_printf("DNSSEC support disabled at build-time; dns_is_secure() false\n"); return FALSE; #else -HEADER *h = (HEADER *) dnsa->answer; +HEADER * h = (HEADER *) dnsa->answer; +const uschar * auth_name; +const uschar * trusted; if (h->ad) return TRUE; -else - { - /* If the resolver we ask is authoritive for the domain in question, it - * may not set the AD but the AA bit. If we explicitly trust - * the resolver for that domain (via a domainlist in dns_trust_aa), - * we return TRUE to indicate a secure answer. - */ - const uschar *auth_name; - const uschar *trusted; - if (!h->aa || !dns_trust_aa) return FALSE; +/* If the resolver we ask is authoritive for the domain in question, it +* may not set the AD but the AA bit. If we explicitly trust +* the resolver for that domain (via a domainlist in dns_trust_aa), +* we return TRUE to indicate a secure answer. +*/ - trusted = expand_string(dns_trust_aa); - auth_name = dns_extract_auth_name(dnsa); - if (OK != match_isinlist(auth_name, &trusted, 0, NULL, NULL, MCL_DOMAIN, TRUE, NULL)) - return FALSE; +if ( !h->aa + || !dns_trust_aa + || !*(trusted = expand_string(dns_trust_aa)) + || !(auth_name = dns_extract_auth_name(dnsa)) + || OK != match_isinlist(auth_name, &trusted, 0, NULL, NULL, + MCL_DOMAIN, TRUE, NULL) + ) + return FALSE; - DEBUG(D_dns) - debug_printf("DNS faked the AD bit (got AA and matched with dns_trust_aa (%s in %s))\n", auth_name, dns_trust_aa); +DEBUG(D_dns) debug_printf("DNS faked the AD bit " + "(got AA and matched with dns_trust_aa (%s in %s))\n", + auth_name, dns_trust_aa); - return TRUE; -} +return TRUE; #endif } |