Thus, in the default case, as long as at least one of the DNS lookups
yields some data, the lookup succeeds.
+.new
+.cindex "DNSSEC" "dns lookup"
Use of &(DNSSEC)& is controlled by a dnssec modifier.
The possible keywords are
&"dnssec_strict"&, &"dnssec_lax"&, and &"dnssec_never"&.
is treated as equivalent to a temporary DNS error.
The default is &"never"&.
+See also the &$lookup_dnssec_authenticated$& variable.
+.wen
+
the space value is -1. See also the &%check_log_space%& option.
+.new
+.vitem &$lookup_dnssec_authenticated$&
+.vindex "&$lookup_dnssec_authenticated$&"
+This variable is set after a DNS lookup done by
+either a dnslookup router or a dnsdb lookup expansion.
+It will be empty if &(DNSSEC)& was not requested,
+&"no"& if the result was not labelled as authenticated data
+and &"yes"& if it was.
+.wen
+
.vitem &$mailstore_basename$&
.vindex "&$mailstore_basename$&"
This variable is set only when doing deliveries in &"mailstore"& format in the
+.new
.option dnssec_request_domains dnslookup "domain list&!!" unset
.cindex "MX record" "security"
.cindex "DNSSEC" "MX lookup"
the dnssec request bit set.
This applies to all of the SRV, MX A6, AAAA, A lookup sequence.
+See also the &$lookup_dnssec_authenticated$& variable.
+.wen
+
+.new
.option dnssec_require_domains dnslookup "domain list&!!" unset
.cindex "MX record" "security"
.cindex "DNSSEC" "MX lookup"
the dnssec request bit set. Any returns not having the Authenticated Data bit
(AD bit) set wil be ignored and logged as a host-lookup failure.
This applies to all of the SRV, MX A6, AAAA, A lookup sequence.
+.wen
Schlichting.
JH/18 New options dnssec_lax, dnssec_strict on dnsdb lookups.
+ New variable $lookup_dnssec_authenticated for observability.
TL/09 Bugzilla 609: Add -C option to exiqgrep, specify which exim.conf to use.
Patch submitted by Lars Timman.
DNS_LOOKUP_AGAIN:
#endif
+lookup_dnssec_authenticated = NULL;
switch (dns_lookup(&dnsa, target, type, NULL))
{
/* If something bad happened (most commonly DNS_AGAIN), defer. */
dns_scan dnss;
dns_record *rr;
+ lookup_dnssec_authenticated = NULL;
if (dns_lookup(&dnsa, (uschar *)name, T_TXT, NULL) != DNS_SUCCEED) return PDKIM_FAIL;
/* Search for TXT record */
{ "localhost_number", vtype_int, &host_number },
{ "log_inodes", vtype_pinodes, (void *)FALSE },
{ "log_space", vtype_pspace, (void *)FALSE },
+ { "lookup_dnssec_authenticated",vtype_stringptr,&lookup_dnssec_authenticated},
{ "mailstore_basename", vtype_stringptr, &mailstore_basename },
#ifdef WITH_CONTENT_SCAN
{ "malware_name", vtype_stringptr, &malware_name },
BOOL log_timezone = FALSE;
unsigned int log_write_selector= L_default;
uschar *login_sender_address = NULL;
+uschar *lookup_dnssec_authenticated = NULL;
int lookup_open_max = 25;
uschar *lookup_value = NULL;
extern uschar *login_sender_address; /* The actual sender address */
extern lookup_info **lookup_list; /* Array of pointers to available lookups */
extern int lookup_list_count; /* Number of entries in the list */
+extern uschar *lookup_dnssec_authenticated; /* AD status of dns lookup */
extern int lookup_open_max; /* Max lookup files to cache */
extern uschar *lookup_value; /* Value looked up from file */
int rc = dns_lookup(&dnsa, lname, type, NULL);
int count = 0;
+ lookup_dnssec_authenticated = NULL;
+
switch(rc)
{
case DNS_SUCCEED: break;
static int
set_address_from_dns(host_item *host, host_item **lastptr,
uschar *ignore_target_hosts, BOOL allow_ip, uschar **fully_qualified_name,
- BOOL dnssec_require)
+ BOOL dnssec_requested, BOOL dnssec_require)
{
dns_record *rr;
host_item *thishostlast = NULL; /* Indicates not yet filled in anything */
dns_scan dnss;
int rc = dns_lookup(&dnsa, host->name, type, fully_qualified_name);
+ lookup_dnssec_authenticated = !dnssec_requested ? NULL
+ : dns_is_secure(&dnsa) ? US"yes" : US"no";
/* We want to return HOST_FIND_AGAIN if one of the A, A6, or AAAA lookups
fails or times out, but not if another one succeeds. (In the early
magic. */
rc = dns_lookup(&dnsa, buffer, ind_type, &temp_fully_qualified_name);
+ lookup_dnssec_authenticated = !dnssec_request ? NULL
+ : dns_is_secure(&dnsa) ? US"yes" : US"no";
+
if (temp_fully_qualified_name != buffer && fully_qualified_name != NULL)
*fully_qualified_name = temp_fully_qualified_name + prefix_length;
{
ind_type = T_MX;
rc = dns_lookup(&dnsa, host->name, ind_type, fully_qualified_name);
+ lookup_dnssec_authenticated = !dnssec_request ? NULL
+ : dns_is_secure(&dnsa) ? US"yes" : US"no";
+
switch (rc)
{
case DNS_NOMATCH:
host->mx = MX_NONE;
host->port = PORT_NONE;
rc = set_address_from_dns(host, &last, ignore_target_hosts, FALSE,
- fully_qualified_name, dnssec_require);
+ fully_qualified_name, dnssec_request, dnssec_require);
/* If one or more address records have been found, check that none of them
are local. Since we know the host items all have their IP addresses
{
if (h->address != NULL) continue; /* Inserted by a multihomed host */
rc = set_address_from_dns(h, &last, ignore_target_hosts, allow_mx_to_ip,
- NULL, dnssec_require);
+ NULL, dnssec_request, dnssec_require);
if (rc != HOST_FOUND)
{
h->status = hstatus_unusable;
#endif
rc = dns_special_lookup(&dnsa, domain, type, &found);
+ lookup_dnssec_authenticated = dnssec_mode==OK ? NULL
+ : dns_is_secure(&dnsa) ? US"yes" : US"no";
+
if (rc == DNS_NOMATCH || rc == DNS_NODATA) continue;
if (rc != DNS_SUCCEED)
{
git://git.exim.org / exim.git / commitdiff