Lock out "A-for-A" DNS lookups.

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 216cf5f7b0bc4891a705e2ff6887e8d3a9b0a54e..629762d4c69f085a13816ad928a16f8e83500058 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -1,4 +1,4 @@
-$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.437 2006/11/20 11:57:56 ph10 Exp $
+$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.438 2006/11/20 13:53:44 ph10 Exp $

 
 Change log file for Exim from version 4.21
 -------------------------------------------
 
 Change log file for Exim from version 4.21
 -------------------------------------------


@@ -325,6 +325,12 @@ JJ/07 exipick.20061117.2, added $received_ip_address and $received_port
 
 PH/46 Applied Jori Hamalainen's patch to add features to exiqsumm.
 
 
 PH/46 Applied Jori Hamalainen's patch to add features to exiqsumm.
 

+PH/47 Put in an explicit test for a DNS lookup of an address record where the
+      "domain" is actually an IP address, and force a failure. This locks out
+      those revolvers/nameservers that support "A-for-A" lookups, in
+      contravention of the specifications.
+
+

 
 
 Exim version 4.63
 
 
 Exim version 4.63

diff --git a/src/src/dns.c b/src/src/dns.c
index b86762ed4346e4b7f64de6d7d9e53d60fec8b856..a6c6d053bcbb8087e698a6ddf178611d35dfb458 100644 (file)
--- a/src/src/dns.c
+++ b/src/src/dns.c
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/src/src/dns.c,v 1.15 2006/11/07 14:13:19 ph10 Exp $ */
+/* $Cambridge: exim/src/src/dns.c,v 1.16 2006/11/20 13:53:44 ph10 Exp $ */

 
 /*************************************************
 *     Exim - an Internet mail transport agent    *
 
 /*************************************************
 *     Exim - an Internet mail transport agent    *


@@ -453,6 +453,7 @@ Arguments:
 Returns:    DNS_SUCCEED   successful lookup
             DNS_NOMATCH   name not found (NXDOMAIN)
                           or name contains illegal characters (if checking)
 Returns:    DNS_SUCCEED   successful lookup
             DNS_NOMATCH   name not found (NXDOMAIN)
                           or name contains illegal characters (if checking)

+                          or name is an IP address (for IP address lookup)

             DNS_NODATA    domain exists, but no data for this type (NODATA)
             DNS_AGAIN     soft failure, try again later
             DNS_FAIL      DNS failure
             DNS_NODATA    domain exists, but no data for this type (NODATA)
             DNS_AGAIN     soft failure, try again later
             DNS_FAIL      DNS failure


@@ -539,7 +540,20 @@ if (check_dns_names_pattern[0] != 0 && type != T_PTR)
 number of bytes the message would need, so we need to check for this case. The
 effect is to truncate overlong data.
 
 number of bytes the message would need, so we need to check for this case. The
 effect is to truncate overlong data.
 

-If we are running in the test harness, instead of calling the normal resolver
+On some systems, res_search() will recognize "A-for-A" queries and return
+the IP address instead of returning -1 with h_error=HOST_NOT_FOUND. Some
+nameservers are also believed to do this. It is, of course, contrary to the
+specification of the DNS, so we lock it out. */
+
+if ((
+    #ifdef SUPPORT_A6
+    type == T_A6 ||
+    #endif
+    type == T_A || type == T_AAAA) &&
+    string_is_ip_address(name, NULL) != 0)
+  return DNS_NOMATCH;
+
+/* If we are running in the test harness, instead of calling the normal resolver

 (res_search), we call fakens_search(), which recognizes certain special
 domains, and interfaces to a fake nameserver for certain special zones. */
 
 (res_search), we call fakens_search(), which recognizes certain special
 domains, and interfaces to a fake nameserver for certain special zones. */