DANE: do not check dns_again_means_nonexist for TLSA results of TRY_AGAIN

[exim.git] / src / src / dns.c

diff --git a/src/src/dns.c b/src/src/dns.c
index 2355409ecce282ae7a87feedf78b15b6628215ca..d39b4b5904e469c2985b0746d39b05835d8b2c85 100644 (file)
--- a/src/src/dns.c
+++ b/src/src/dns.c
@@ -907,21 +907,30 @@ if (dnsa->answerlen < 0) switch (h_errno)
 
     /* Cut this out for various test programs */
 #ifndef STAND_ALONE
-    if (try_again_recursion)
+    /* Permitting dns_again_means nonexist for TLSA lookups breaks the
+    doewngrade resistance of dane, so avoid for those. */
+
+    if (type == T_TLSA)
+      rc = FAIL;
+    else
       {
-      log_write(0, LOG_MAIN|LOG_PANIC,
-       "dns_again_means_nonexist recursion seen for %s (assuming nonexist)",
-       name);
-      return dns_fail_return(name, type, dns_expire_from_soa(dnsa, type), DNS_NOMATCH);
-      }
+      if (try_again_recursion)
+       {
+       log_write(0, LOG_MAIN|LOG_PANIC,
+         "dns_again_means_nonexist recursion seen for %s"
+         " (assuming nonexist)", name);
+       return dns_fail_return(name, type, dns_expire_from_soa(dnsa, type),
+                             DNS_NOMATCH);
+       }
 
-    try_again_recursion = TRUE;
-    save_domain = deliver_domain;
-    deliver_domain = string_copy(name);  /* set $domain */
-    rc = match_isinlist(name, CUSS &dns_again_means_nonexist, 0,
-      &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL);
-    deliver_domain = save_domain;
-    try_again_recursion = FALSE;
+      try_again_recursion = TRUE;
+      save_domain = deliver_domain;
+      deliver_domain = string_copy(name);  /* set $domain */
+      rc = match_isinlist(name, CUSS &dns_again_means_nonexist, 0,
+       &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL);
+      deliver_domain = save_domain;
+      try_again_recursion = FALSE;
+      }
 
     if (rc != OK)
       {