unset was to force an expansion failure. That still works, and
an empty string is now equivalent.
+PP/19 Renamed DNSSEC-enabling option to "dns_dnssec_ok", to make it
+ clearer that Exim is using the DO (DNSSEC OK) EDNS0 resolver flag,
+ not performing validation itself.
+
Exim version 4.80.1
-------------------
Unless you really know what you are doing, leave it alone.
4. If not built with DISABLE_DNSSEC, Exim now has the main option
- dns_use_dnssec; if set to 1 then Exim will initialise the resolver library
+ dns_dnssec_ok; if set to 1 then Exim will initialise the resolver library
to send the DO flag to your recursive resolver. If you have a recursive
resolver, which can set the Authenticated Data (AD) flag in results, Exim
- can now detect this.
+ can now detect this. Exim does not perform validation itself, instead
+ relying upon a trusted path to the resolver.
Current status: work-in-progress; $sender_host_dnssec variable added.
# ifndef RES_USE_EDNS0
# error Have RES_USE_DNSSEC but not RES_USE_EDNS0? Something hinky ...
# endif
-if (dns_use_dnssec >= 0)
+if (dns_dnssec_ok >= 0)
{
- if (dns_use_edns0 == 0 && dns_use_dnssec != 0)
+ if (dns_use_edns0 == 0 && dns_dnssec_ok != 0)
{
DEBUG(D_resolver)
- debug_printf("CONFLICT: dns_use_edns0 forced false, dns_use_dnssec forced true!\n");
+ debug_printf("CONFLICT: dns_use_edns0 forced false, dns_dnssec_ok forced true, ignoring latter!\n");
}
else
{
- if (dns_use_dnssec)
+ if (dns_dnssec_ok)
resp->options |= RES_USE_DNSSEC;
else
resp->options &= ~RES_USE_DNSSEC;
DEBUG(D_resolver) debug_printf("Coerced resolver DNSSEC support %s.\n",
- dns_use_dnssec ? "on" : "off");
+ dns_dnssec_ok ? "on" : "off");
}
}
# else
-if (dns_use_dnssec >= 0)
+if (dns_dnssec_ok >= 0)
DEBUG(D_resolver)
debug_printf("Unable to %sset DNSSEC without resolver support.\n",
- dns_use_dnssec ? "" : "un");
+ dns_dnssec_ok ? "" : "un");
# endif
#endif /* DISABLE_DNSSEC */
uschar *dns_ipv4_lookup = NULL;
int dns_retrans = 0;
int dns_retry = 0;
-int dns_use_dnssec = -1; /* <0 = not coerced */
+int dns_dnssec_ok = -1; /* <0 = not coerced */
int dns_use_edns0 = -1; /* <0 = not coerced */
uschar *dnslist_domain = NULL;
uschar *dnslist_matched = NULL;
extern uschar *dns_ipv4_lookup; /* For these domains, don't look for AAAA (or A6) */
extern int dns_retrans; /* Retransmission time setting */
extern int dns_retry; /* Number of retries */
-extern int dns_use_dnssec; /* When constructing DNS query, set DO flag */
+extern int dns_dnssec_ok; /* When constructing DNS query, set DO flag */
extern int dns_use_edns0; /* Coerce EDNS0 support on/off in resolver. */
extern uschar *dnslist_domain; /* DNS (black) list domain */
extern uschar *dnslist_matched; /* DNS (black) list matched key */
{ "dns_ipv4_lookup", opt_stringptr, &dns_ipv4_lookup },
{ "dns_retrans", opt_time, &dns_retrans },
{ "dns_retry", opt_int, &dns_retry },
- { "dns_use_dnssec", opt_int, &dns_use_dnssec },
+ { "dns_dnssec_ok", opt_int, &dns_dnssec_ok },
{ "dns_use_edns0", opt_int, &dns_use_edns0 },
/* This option is now a no-op, retained for compability */
{ "drop_cr", opt_bool, &drop_cr },
git://git.exim.org / exim.git / commitdiff