git://git.exim.org
/
users
/
heiko
/
exim.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
86ede12
)
Change the default of dnssec_request_domains to '*'
author
Heiko Schlittermann (HS12-RIPE)
<hs@schlittermann.de>
Fri, 27 Sep 2019 01:42:46 +0000
(
03:42
+0200)
committer
Heiko Schlittermann (HS12-RIPE)
<hs@schlittermann.de>
Fri, 18 Oct 2019 08:43:55 +0000
(10:43 +0200)
doc/doc-docbook/spec.xfpt
patch
|
blob
|
history
doc/doc-txt/ChangeLog
patch
|
blob
|
history
src/src/configure.default
patch
|
blob
|
history
src/src/globals.c
patch
|
blob
|
history
src/src/lookups/dnsdb.c
patch
|
blob
|
history
src/src/transports/smtp.c
patch
|
blob
|
history
diff --git
a/doc/doc-docbook/spec.xfpt
b/doc/doc-docbook/spec.xfpt
index 6cfe0bf63095a0599ea712241cad7d7bb3a3e47b..da9d616aecc5a98960298b20d5ecd794a059cfdf 100644
(file)
--- a/
doc/doc-docbook/spec.xfpt
+++ b/
doc/doc-docbook/spec.xfpt
@@
-7331,7
+7331,7
@@
with the lookup.
With &"strict"& a response from the DNS resolver that
is not labelled as authenticated data
is treated as equivalent to a temporary DNS error.
With &"strict"& a response from the DNS resolver that
is not labelled as authenticated data
is treated as equivalent to a temporary DNS error.
-The default is &"
never
"&.
+The default is &"
lax
"&.
See also the &$lookup_dnssec_authenticated$& variable.
See also the &$lookup_dnssec_authenticated$& variable.
@@
-18382,7
+18382,7
@@
or for any deliveries caused by this router. You should not set this option
unless you really, really know what you are doing. See also the generic
transport option of the same name.
unless you really, really know what you are doing. See also the generic
transport option of the same name.
-.option dnssec_request_domains routers "domain list&!!"
unset
+.option dnssec_request_domains routers "domain list&!!"
*
.cindex "MX record" "security"
.cindex "DNSSEC" "MX lookup"
.cindex "security" "MX lookup"
.cindex "MX record" "security"
.cindex "DNSSEC" "MX lookup"
.cindex "security" "MX lookup"
@@
-24571,7
+24571,7
@@
See the &%search_parents%& option in chapter &<<CHAPdnslookup>>& for more
details.
details.
-.option dnssec_request_domains smtp "domain list&!!"
unset
+.option dnssec_request_domains smtp "domain list&!!"
*
.cindex "MX record" "security"
.cindex "DNSSEC" "MX lookup"
.cindex "security" "MX lookup"
.cindex "MX record" "security"
.cindex "DNSSEC" "MX lookup"
.cindex "security" "MX lookup"
@@
-29055,7
+29055,8
@@
If DANE is requested and useable (see above) the following transport options are
If DANE is not usable, whether requested or not, and CA-anchored
verification evaluation is wanted, the above variables should be set appropriately.
If DANE is not usable, whether requested or not, and CA-anchored
verification evaluation is wanted, the above variables should be set appropriately.
-Currently the (router or transport options) &%dnssec_request_domains%& must be active and &%dnssec_require_domains%& is ignored.
+The router and transport option &%dnssec_request_domains%& must not be
+set to "never" and &%dnssec_require_domains%& is ignored.
If verification was successful using DANE then the "CV" item in the delivery log line will show as "CV=dane".
If verification was successful using DANE then the "CV" item in the delivery log line will show as "CV=dane".
diff --git
a/doc/doc-txt/ChangeLog
b/doc/doc-txt/ChangeLog
index 93f4a1eb2d7ca2118903ceaa8d9e7c36591e60aa..7568d2e0cb70ef4d81ea62a158a85c9294f061d9 100644
(file)
--- a/
doc/doc-txt/ChangeLog
+++ b/
doc/doc-txt/ChangeLog
@@
-192,6
+192,7
@@
JH/41 With GnuTLS 3.6.0 (and later) do not attempt to manage Diffie-Hellman
function is unnecessary and discouraged on GnuTLS 3.6.0 or later. Since
3.6.0, DH parameters are negotiated following RFC7919."
function is unnecessary and discouraged on GnuTLS 3.6.0 or later. Since
3.6.0, DH parameters are negotiated following RFC7919."
+HS/06 Change the default of dnssec_request_domains to "*"
Exim version 4.92
-----------------
Exim version 4.92
-----------------
diff --git
a/src/src/configure.default
b/src/src/configure.default
index 245cc3925100bc24d05dfc3a20795a9e5b72a52b..8681499d8dc843045c7c252ce632c03d82886d95 100644
(file)
--- a/
src/src/configure.default
+++ b/
src/src/configure.default
@@
-690,9
+690,6
@@
dnslookup:
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
# if ipv6-enabled then instead use:
# ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
# if ipv6-enabled then instead use:
# ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1
-.ifdef _HAVE_DNSSEC
- dnssec_request_domains = *
-.endif
no_more
# This closes the ROUTER_SMARTHOST ifdef around the choice of routing for
no_more
# This closes the ROUTER_SMARTHOST ifdef around the choice of routing for
diff --git
a/src/src/globals.c
b/src/src/globals.c
index 24281f239614a1715c72626409892e740825865d..677c03e77074a12831539d54db65149684490870 100644
(file)
--- a/
src/src/globals.c
+++ b/
src/src/globals.c
@@
-1362,7
+1362,7
@@
router_instance router_defaults = {
.pass_router = NULL,
.redirect_router = NULL,
.pass_router = NULL,
.redirect_router = NULL,
- .dnssec =
{ NULL, NULL }, /* dnssec_domains {require,request} */
+ .dnssec =
{ .request= US"*", .require=NULL },
};
uschar *router_name = NULL;
};
uschar *router_name = NULL;
diff --git
a/src/src/lookups/dnsdb.c
b/src/src/lookups/dnsdb.c
index 272734456215ce6dcbd8137ea83d8197ed8de30d..1cf8df739a44034df74266d50fa7dc0191d4742c 100644
(file)
--- a/
src/src/lookups/dnsdb.c
+++ b/
src/src/lookups/dnsdb.c
@@
-112,7
+112,7
@@
terminates option processing. Recognised options are:
causes the whole lookup to defer only if none of the DNS queries succeeds; and
'never', where all defers are as if the lookup failed. The default is 'lax'.
causes the whole lookup to defer only if none of the DNS queries succeeds; and
'never', where all defers are as if the lookup failed. The default is 'lax'.
-- 'dnssec_FOO', with 'strict', 'lax'
and 'never' (default)
. The meanings are
+- 'dnssec_FOO', with 'strict', 'lax'
(default), and 'never'
. The meanings are
require, try and don't-try dnssec respectively.
- 'retrans_VAL', set the timeout value. VAL is an Exim time specification
require, try and don't-try dnssec respectively.
- 'retrans_VAL', set the timeout value. VAL is an Exim time specification
@@
-136,7
+136,7
@@
dnsdb_find(void *handle, uschar *filename, const uschar *keystring, int length,
int rc;
int sep = 0;
int defer_mode = PASS;
int rc;
int sep = 0;
int defer_mode = PASS;
-int dnssec_mode =
OK
;
+int dnssec_mode =
PASS
;
int save_retrans = dns_retrans;
int save_retry = dns_retry;
int type;
int save_retrans = dns_retrans;
int save_retry = dns_retry;
int type;
diff --git
a/src/src/transports/smtp.c
b/src/src/transports/smtp.c
index c547c87faec807f6f0d166e02b72513bfd8aae00..fe28d860660fcf7affb2b239d5e80e82ce05f223 100644
(file)
--- a/
src/src/transports/smtp.c
+++ b/
src/src/transports/smtp.c
@@
-281,7
+281,7
@@
smtp_transport_options_block smtp_transport_option_defaults = {
.gethostbyname = FALSE,
.dns_qualify_single = TRUE,
.dns_search_parents = FALSE,
.gethostbyname = FALSE,
.dns_qualify_single = TRUE,
.dns_search_parents = FALSE,
- .dnssec = { .request=
NULL
, .require=NULL },
+ .dnssec = { .request=
US"*"
, .require=NULL },
.delay_after_cutoff = TRUE,
.hosts_override = FALSE,
.hosts_randomize = FALSE,
.delay_after_cutoff = TRUE,
.hosts_override = FALSE,
.hosts_randomize = FALSE,