Compiler quietening

[exim.git] / src / src / dns.c

diff --git a/src/src/dns.c b/src/src/dns.c
index 66633f741facf71ee65e71a5fee08b435ef3b2fd..f492613c4785f0e8141718cd94198ef7469316cb 100644 (file)
--- a/src/src/dns.c
+++ b/src/src/dns.c
@@ -443,7 +443,7 @@ Returns:    bool indicating presence of AD bit
 */
 
 BOOL
-dns_is_secure(const dns_answer *dnsa)
+dns_is_secure(const dns_answer * dnsa)
 {
 #ifdef DISABLE_DNSSEC
 DEBUG(D_dns)
@@ -455,6 +455,13 @@ return h->ad ? TRUE : FALSE;
 #endif
 }
 
+static void
+dns_set_insecure(dns_answer * dnsa)
+{
+HEADER * h = (HEADER *)dnsa->answer;
+h->ad = 0;
+}
+
 
 
 
@@ -754,6 +761,7 @@ dns_lookup(dns_answer *dnsa, const uschar *name, int type,
 {
 int i;
 const uschar *orig_name = name;
+BOOL secure_so_far = TRUE;
 
 /* Loop to follow CNAME chains so far, but no further... */
 
@@ -808,7 +816,12 @@ for (i = 0; i < 10; i++)
 
   /* If any data records of the correct type were found, we are done. */
 
-  if (type_rr.data != NULL) return DNS_SUCCEED;
+  if (type_rr.data != NULL)
+    {
+    if (!secure_so_far)        /* mark insecure if any element of CNAME chain was */
+      dns_set_insecure(dnsa);
+    return DNS_SUCCEED;
+    }
 
   /* If there are no data records, we need to re-scan the DNS using the
   domain given in the CNAME record, which should exist (otherwise we should
@@ -821,6 +834,9 @@ for (i = 0; i < 10; i++)
   if (datalen < 0) return DNS_FAIL;
   name = data;
 
+  if (!dns_is_secure(dnsa))
+    secure_so_far = FALSE;
+
   DEBUG(D_dns) debug_printf("CNAME found: change to %s\n", name);
   }       /* Loop back to do another lookup */
 
@@ -1014,7 +1030,7 @@ if (type == T_CSA)
       /* Extract the numerical SRV fields (p is incremented) */
       p = rr->data;
       GETSHORT(priority, p);
-      GETSHORT(weight, p);
+      GETSHORT(weight, p);     weight = weight; /* compiler quietening */
       GETSHORT(port, p);
 
       /* Check the CSA version number */