From 4e0983dcef8dd8630fc77aad39f7606e2ed32199 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Thu, 24 Apr 2014 16:41:11 +0100 Subject: Dnssec observability: add variable $lookup_dnssec_authenticated --- doc/doc-docbook/spec.xfpt | 21 +++++++++++++++++++++ doc/doc-txt/ChangeLog | 1 + 2 files changed, 22 insertions(+) (limited to 'doc') diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 4370aa0b5..0e6a38bd9 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -6981,6 +6981,8 @@ ${lookup dnsdb{a=one.host.com:two.host.com}} Thus, in the default case, as long as at least one of the DNS lookups yields some data, the lookup succeeds. +.new +.cindex "DNSSEC" "dns lookup" Use of &(DNSSEC)& is controlled by a dnssec modifier. The possible keywords are &"dnssec_strict"&, &"dnssec_lax"&, and &"dnssec_never"&. @@ -6991,6 +6993,9 @@ is not labelled as authenticated data is treated as equivalent to a temporary DNS error. The default is &"never"&. +See also the &$lookup_dnssec_authenticated$& variable. +.wen + @@ -11448,6 +11453,16 @@ ability to find the amount of free space (only true for experimental systems), the space value is -1. See also the &%check_log_space%& option. +.new +.vitem &$lookup_dnssec_authenticated$& +.vindex "&$lookup_dnssec_authenticated$&" +This variable is set after a DNS lookup done by +either a dnslookup router or a dnsdb lookup expansion. +It will be empty if &(DNSSEC)& was not requested, +&"no"& if the result was not labelled as authenticated data +and &"yes"& if it was. +.wen + .vitem &$mailstore_basename$& .vindex "&$mailstore_basename$&" This variable is set only when doing deliveries in &"mailstore"& format in the @@ -17649,6 +17664,7 @@ when there is a DNS lookup error. +.new .option dnssec_request_domains dnslookup "domain list&!!" unset .cindex "MX record" "security" .cindex "DNSSEC" "MX lookup" @@ -17658,8 +17674,12 @@ DNS lookups for domains matching &%dnssec_request_domains%& will be done with the dnssec request bit set. This applies to all of the SRV, MX A6, AAAA, A lookup sequence. +See also the &$lookup_dnssec_authenticated$& variable. +.wen + +.new .option dnssec_require_domains dnslookup "domain list&!!" unset .cindex "MX record" "security" .cindex "DNSSEC" "MX lookup" @@ -17669,6 +17689,7 @@ DNS lookups for domains matching &%dnssec_request_domains%& will be done with the dnssec request bit set. Any returns not having the Authenticated Data bit (AD bit) set wil be ignored and logged as a host-lookup failure. This applies to all of the SRV, MX A6, AAAA, A lookup sequence. +.wen diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 8bf42d537..ddbd91135 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -92,6 +92,7 @@ TL/08 Bugzilla 1453: New LDAP "SERVERS=" option allows admin to override list Schlichting. JH/18 New options dnssec_lax, dnssec_strict on dnsdb lookups. + New variable $lookup_dnssec_authenticated for observability. TL/09 Bugzilla 609: Add -C option to exiqgrep, specify which exim.conf to use. Patch submitted by Lars Timman. -- cgit v1.2.3