-/* We now have the result of the DNS lookup, either newly done, or cached
-from a previous call. If the lookup succeeded, check against the address
-list if there is one. This may be a positive equality list (introduced by
-"="), a negative equality list (introduced by "!="), a positive bitmask
-list (introduced by "&"), or a negative bitmask list (introduced by "!&").*/
-
-if (cb->rc == DNS_SUCCEED)
- {
- dns_address *da = NULL;
- uschar *addlist = cb->rhs->address;
-
- /* For A and AAAA records, there may be multiple addresses from multiple
- records. For A6 records (currently not expected to be used) there may be
- multiple addresses from a single record. */
-
- for (da = cb->rhs->next; da; da = da->next)
- addlist = string_sprintf("%s, %s", addlist, da->address);
-
- HDEBUG(D_dnsbl) debug_printf("DNS lookup for %s succeeded (yielding %s)\n",
- query, addlist);
-
- /* Address list check; this can be either for equality, or via a bitmask.
- In the latter case, all the bits must match. */
-
- if (iplist)
- {
- for (da = cb->rhs; da; da = da->next)
- {
- int ipsep = ',';
- uschar ip[46];
- const uschar *ptr = iplist;
- uschar *res;
-
- /* Handle exact matching */
-
- if (!bitmask)
- {
- while ((res = string_nextinlist(&ptr, &ipsep, ip, sizeof(ip))))
- if (Ustrcmp(CS da->address, ip) == 0)
- break;
- }
-
- /* Handle bitmask matching */
-
- else
- {
- int address[4];
- int mask = 0;
-
- /* At present, all known DNS blocking lists use A records, with
- IPv4 addresses on the RHS encoding the information they return. I
- wonder if this will linger on as the last vestige of IPv4 when IPv6
- is ubiquitous? Anyway, for now we use paranoia code to completely
- ignore IPv6 addresses. The default mask is 0, which always matches.
- We change this only for IPv4 addresses in the list. */
-
- if (host_aton(da->address, address) == 1) mask = address[0];
-
- /* Scan the returned addresses, skipping any that are IPv6 */
-
- while ((res = string_nextinlist(&ptr, &ipsep, ip, sizeof(ip))))
- {
- if (host_aton(ip, address) != 1) continue;
- if ((address[0] & mask) == address[0]) break;
- }
- }
-
- /* If either
-
- (a) An IP address in an any ('=') list matched, or
- (b) No IP address in an all ('==') list matched
-
- then we're done searching. */
-
- if (((match_type & MT_ALL) != 0) == (res == NULL)) break;
- }
-
- /* If da == NULL, either
-
- (a) No IP address in an any ('=') list matched, or
- (b) An IP address in an all ('==') list didn't match
-
- so behave as if the DNSBL lookup had not succeeded, i.e. the host is not on
- the list. */
-
- if ((match_type == MT_NOT || match_type == MT_ALL) != (da == NULL))
- {
- HDEBUG(D_dnsbl)
- {
- uschar *res = NULL;
- switch(match_type)
- {
- case 0:
- res = US"was no match"; break;
- case MT_NOT:
- res = US"was an exclude match"; break;
- case MT_ALL:
- res = US"was an IP address that did not match"; break;
- case MT_NOT|MT_ALL:
- res = US"were no IP addresses that did not match"; break;
- }
- debug_printf("=> but we are not accepting this block class because\n");
- debug_printf("=> there %s for %s%c%s\n",
- res,
- ((match_type & MT_ALL) == 0)? "" : "=",
- bitmask? '&' : '=', iplist);
- }
- return FAIL;
- }
- }
-
- /* Either there was no IP list, or the record matched, implying that the
- domain is on the list. We now want to find a corresponding TXT record. If an
- alternate domain is specified for the TXT record, call this function
- recursively to look that up; this has the side effect of re-checking that
- there is indeed an A record at the alternate domain. */
-
- if (domain_txt != domain)
- return one_check_dnsbl(domain_txt, domain_txt, keydomain, prepend, NULL,
- FALSE, match_type, defer_return);