Any DNS record line in a zone file can be prefixed with "DELAY=" and
a number of milliseconds (followed by one space).
-Any DNS record line in a zone file can be prefixed with "DNSSEC ";
+Any DNS record line can be prefixed with "DNSSEC ";
if all the records found by a lookup are marked
as such then the response will have the "AD" bit set.
-Any DNS record line in a zone file can be prefixed with "AA "
+Any DNS record line can be prefixed with "NXDOMAIN ";
+The record will be ignored (but the prefix set still applied);
+This lets us return a DNSSEC NXDOMAIN.
+
+Any DNS record line can be prefixed with "AA "
if all the records found by a lookup are marked
as such then the response will have the "AA" bit set.
rrdomain[0] = 0; /* No previous domain */
(void)fseek(f, 0, SEEK_SET); /* Start again at the beginning */
-if (dnssec) *dnssec = TRUE; /* cancelled by first nonsecure rec found */
-if (aa) *aa = TRUE; /* cancelled by first non-aa rec found */
-
/* Scan for RRs */
while (fgets(CS buffer, sizeof(buffer), f) != NULL)
int qtlen = qtypelen;
BOOL rr_sec = FALSE;
BOOL rr_aa = FALSE;
+ BOOL rr_ignore = FALSE;
int delay = 0;
uint ttl = DEFAULT_TTL;
rr_sec = TRUE;
p += 7;
}
+ if (Ustrncmp(p, US"NXDOMAIN ", 9) == 0) /* ignore record content */
+ {
+ rr_ignore = TRUE;
+ p += 9;
+ }
else if (Ustrncmp(p, US"AA ", 3) == 0) /* tagged as authoritative */
{
rr_aa = TRUE;
/* The domain matches */
- if (yield == HOST_NOT_FOUND) yield = NO_DATA;
+ if (yield == HOST_NOT_FOUND)
+ {
+ yield = NO_DATA;
+ if (dnssec) *dnssec = TRUE; /* cancelled by first nonsecure rec found */
+ if (aa) *aa = TRUE; /* cancelled by first non-aa rec found */
+ }
/* Compare RR types; a CNAME record is always returned */
if (aa && !rr_aa)
*aa = FALSE; /* cancel AA return */
+ if (rr_ignore) continue;
+
yield = 0;
*countptr = *countptr + 1;
git://git.exim.org / exim.git / blobdiff