DANE: do not check dns_again_means_nonexist for TLSA results of TRY_AGAIN

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 946f55b1130e4bf2b31df791c40c2a53aca7b993..9243bd3f9babfbbd37bb8e6805f584d491bdb16d 100644 (file)
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -15621,7 +15621,12 @@ by a setting such as this:
 .code
 dns_again_means_nonexist = *.in-addr.arpa
 .endd
-This option applies to all DNS lookups that Exim does. It also applies when the
+This option applies to all DNS lookups that Exim does,
+.new
+except for TLSA lookups (where knowing about such failures
+is security-relevant).
+.wen
+It also applies when the
 &[gethostbyname()]& or &[getipnodebyname()]& functions give temporary errors,
 since these are most likely to be caused by DNS lookup problems. The
 &(dnslookup)& router has some options of its own for controlling what happens

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index f51a23c9c9eadba023af75465caa72055ca2bbc7..45834756b1a5b7be528452e4bc2d2f131aeaa30b 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -98,6 +98,10 @@ JH/20 Bug 2954: (OpenSSL) Fix setting of explicit EC curve/group.  Previously
       this always failed, probably leading to the usual downgrade to in-clear
       connections.
 
+JH/20 Fix TLSA lookups.  Previously dns_again_means_nonexist would affect
+      SERVFAIL results, which breaks the downgrade resistance of DANE.  Change
+      to not checking that list for these looks.
+
 
 Exim version 4.96
 -----------------

diff --git a/src/src/dns.c b/src/src/dns.c
index 2355409ecce282ae7a87feedf78b15b6628215ca..d39b4b5904e469c2985b0746d39b05835d8b2c85 100644 (file)
--- a/src/src/dns.c
+++ b/src/src/dns.c
@@ -907,21 +907,30 @@ if (dnsa->answerlen < 0) switch (h_errno)
 
     /* Cut this out for various test programs */
 #ifndef STAND_ALONE
-    if (try_again_recursion)
+    /* Permitting dns_again_means nonexist for TLSA lookups breaks the
+    doewngrade resistance of dane, so avoid for those. */
+
+    if (type == T_TLSA)
+      rc = FAIL;
+    else
       {
-      log_write(0, LOG_MAIN|LOG_PANIC,
-       "dns_again_means_nonexist recursion seen for %s (assuming nonexist)",
-       name);
-      return dns_fail_return(name, type, dns_expire_from_soa(dnsa, type), DNS_NOMATCH);
-      }
+      if (try_again_recursion)
+       {
+       log_write(0, LOG_MAIN|LOG_PANIC,
+         "dns_again_means_nonexist recursion seen for %s"
+         " (assuming nonexist)", name);
+       return dns_fail_return(name, type, dns_expire_from_soa(dnsa, type),
+                             DNS_NOMATCH);
+       }
 
-    try_again_recursion = TRUE;
-    save_domain = deliver_domain;
-    deliver_domain = string_copy(name);  /* set $domain */
-    rc = match_isinlist(name, CUSS &dns_again_means_nonexist, 0,
-      &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL);
-    deliver_domain = save_domain;
-    try_again_recursion = FALSE;
+      try_again_recursion = TRUE;
+      save_domain = deliver_domain;
+      deliver_domain = string_copy(name);  /* set $domain */
+      rc = match_isinlist(name, CUSS &dns_again_means_nonexist, 0,
+       &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL);
+      deliver_domain = save_domain;
+      try_again_recursion = FALSE;
+      }
 
     if (rc != OK)
       {